WordPress.org

Plugin Directory

Opened 5 years ago

#1639 new defect

Multiple SQL injection in wordpress poll

Reported by: marcelinha26 Owned by: Cardoza Vinoj
Priority: high Severity: critical
Plugin: not-listed Keywords: vulnerability, sql injection
Cc:

Description

I have found multiple sql injection vulnerabilities in the file CWPPoll.js file to be more specific viewPollResults and userlogs functions. The problem resides in pollid parameter which is not sanitised. Thus, via an ajax call from a script I can inject sql code like that

POC

/wp-admin/admin-ajax.php/?poll_id=2or 1=1&action=view_poll_result

/wp-admin/admin-ajax.php/?poll_id=2or 1=1&action=view_poll_logs

Besides I have found several functions which could be used by an attacker in order to destroy poll information:

function editAnswer(answerid, poll_id)
function deleteAnswer(answerid, poll_id)
function addAnswer(polls_id)
function deletePoll()

The attacker just has to call these functions and send them any number and the results can be catastrophic.

Change History (0)

Note: See TracTickets for help on using tickets.