exploit the possibilities

Register Plus Redux XSS / SQL Injection / Code Execution

Register Plus Redux XSS / SQL Injection / Code Execution
Posted Dec 29, 2011
Authored by MustLive

Register Plus Redux versions and below suffer from cross site scripting, remote SQL injection and code execution vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss, sql injection
MD5 | 5854f76518ef7422568805884e91a5f4

Register Plus Redux XSS / SQL Injection / Code Execution

Change Mirror Download
Hello list!

I want to warn you about multiple new vulnerabilities in plugin Register
Plus Redux for WordPress. Last version of the plugin was checked.

These are Cross-Site Scripting, SQL Injection, Code Execution and Full path
disclosure vulnerabilities.

Affected products:

Vulnerable are Register Plus Redux v3.7.3.1 and previous versions.

By request of my client I've made new version of the plugin with fixing of
all vulnerabilities, which I found. I named this version as Register Plus
Redux 3.8 (to distinguish between it and original version of the plugin). So
all users of this plugin can find new and secure version of the plugin in


XSS (WASC-08):

POST request at page http://site/wp-login.php?action=register
In field About Yourself.

By using function Autocomplete URL it's possible to conduct attack via GET:


At plugin options page the protection against CSRF is used, so it needs to
use reflected XSS for bypassing it and conducting of persistent XSS and
persistent SQL Injection attacks.

Persistent XSS (WASC-08):

At set option "Show Invitation Code Tracking widget on Dashboard" in plugin
settings and adding invitation code (Add a new invitation code), it's
possible to set JS/VBS code.

Which will work at page Dashboard (http://site/wp-admin/index.php).

Persistent SQL Injection (WASC-19):

At set option "Show Invitation Code Tracking widget on Dashboard" in plugin
settings and adding invitation code (Add a new invitation code), it's
possible to set for SQL Injection.
' and benchmark(1000000,md5(now())) and 1='1

Which will work at visiting of the page Dashboard
(http://site/wp-admin/index.php). This is Persistent Blind SQL Injection

Code Execution (WASC-31):

If to have access to plugin settings, it's possible to conduct Code
Execution via field Custom Logo URL via uploading of 1.phtml.jpg. It's
depends of version of the engine, which I've wrote about in post Code
Execution in WordPress 2.5 - 3.1.1 (http://websecurity.com.ua/5108/). This
attack will work in versions of engine before WordPress 3.1.3, where
developers fixed upload functionality (which is used by the plugin).

Full path disclosure (WASC-13):


In register-plus-redux.php there is FPD (as in previous versions). And file
dash_widget.php (with FPD) was remade to
dashboard_invitation_tracking_widget.php, which already has no FPD.

Also FPD was fixed at POST request at page
http://site/wp-login.php?action=register. But in special way it can be

At adding of new field in Additional Fields and at setting 1 (or almost any
value) in field Options and at turning on the option Show on Registration,
FPD will appear at POST request at page

Also it's possible to add to the site two FPD vulnerabilities. If to set in
Custom Logo URL the address to not image file or just "http://", then there
will be showing error message with FPD at pages
http://site/wp-admin/options-general.php?page=register-plus-redux and


2011.11.25 - found vulnerabilities.
2011.11.30 - fixed vulnerabilities.
2011.11.30 - Informed developer.
2011.11.30 - announced at my site.
2011.11.30 - released Register Plus Redux 3.8 (with fixed all
vulnerabilities of version
2011.12.05 - released Register Plus Redux 3.8.1 (with new features).
2011.12.29 - disclosed at my site.

I mentioned about these vulnerabilities at my site:

Best wishes & regards,
Administrator of Websecurity web site


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By