Ultimate Product Catalogue <= 3.1.2 – Unauthenticated SQL Injection

Description

Unauthenticated SQL injection in parameter "SingleProduct" when a web visitor explores a product published by the web administrator. This exploit needs magic_quotes_gpc turned off in the destination server.

File Functions/Shortcodes.php line 779

Proof of Concept

http://<wordpress site>/?SingleProduct=2'+and+'a'='a
http://<wordpress site>/?SingleProduct=2'+and+'a'='b

Affects Plugins

ultimate-product-catalogue

Fixed in 3.1.3

References

Exploitdb

36823

Exploitdb

36824

URL

https://packetstormsecurity.com/files/#131812/

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Submitter

Felipe Molina

Submitter twitter

felmoltor

Verified

WPVDB ID

a0418fed-2f5f-4268-8791-e70c934c8f52

Timeline

Publicly Published

2015-04-23 (about 11 years ago)

Added

2015-04-27 (about 11 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2019-08-07

Title

JoomSport <= 3.3 - SQL Injection

Published

2021-03-15

Title

Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating

Published

2025-01-31

Title

MultiLoca - WooCommerce Multi Locations Inventory Management < 4.1.12 - Authenticated (Subscriber+) SQL Injection

Published

2024-12-14

Title

TSB Occasion Editor <= 1.2.1 - Authenticated (Subscriber+) SQL Injection

Published

2023-06-23

Title

MStore API < 4.0.2 - Unauthenticated SQL Injection