Advisory #: 152
Title: Blind SQL Injection in wordpress plugin dukapress v2.5.9
Author: Larry W. Cashdollar, @_larry0
Date: 2015-08-04
[CVE-2015-1000011]
Download Site: http://wordpress.org/plugins/dukapress/
Vendor: dukapress.org
Vendor Notified: 2015-08-07
Vendor Contact: https://twitter.com/moshthepitt
Advisory: http://www.vapidlabs.com/advisory.php?v=152
Description: DukaPress is open source software that can be used to build online shops quickly and easily. DukaPress is built on top of WordPress, a world class content management system. DukaPress is built to be both simple and elegant yet powerful and scalable.
Vulnerability:
The code in dukapress/download.php does not sanitize user input before passing via $_GET['id'] to query() allowing SQL to be injected. The user is not required to be logged into wordpress in order to exploit this vulnerability. 9:$sql = "SELECT saved_name, real_name, count, TIMESTAMPDIFF(SECOND,sent_time,NOW()) as time_diff FROM `{$table_name2}` WHERE saved_name='{$_GET['id']}'"; . . . 26: $wpdb->query("UPDATE {$table_name2} SET count={$download_count} WHERE saved_name='{$_GET['id']}'");
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes: