VDB-ID: 160 Title: Reflected XSS & Blind SQLi in wordpress plugin eshop v6.3.14 Vulnerability Date: 2016-01-27 Download: https://wordpress.org/plugins/eshop Vendor: Richard Pedley Notified: 2016-01-29 Vendor Contact: http://elfden.co.uk/ Description: An accessible Shopping Cart plugin. eShop is an accessible shopping cart plugin for WordPress, packed with various features. Vulnerability: The following code snippets do not sanitize user input before passing back to the browser via $_GET request. http://plugins.svn.wordpress.org/eshop/trunk/eshop-orders.php From eshop-orders.php XSS via page & action variables: 144 $apge=get_admin_url().'admin.php?page='.$_GET['page'].'&action='.$_GET['action']; 145 echo ''; 244 303 $phpself='?page='.$_GET['page']; . 503 echo "
"; 504 ?> . 515 . . 586 $downloadable .=''.$dlinfo->downloads.''.__('Increase','eshop').', '.__('Decrease','eshop').''; 587 . . 642 echo ''.__('Email:','eshop').''." ".$drow->email.' '.__('(sends a form email)','eshop')."
\n"; . . 746 if($status=='Deleted'){$delete="

".__('Completely delete this order?','eshop')."< /a>
".__('Warning: this order will be completely deleted and cannot be recovered at a later date.','eshop')."

";}else{$de lete='';}; Blind SQL Injection & requires authenticated user to Wordpress. From eshop-orders.php, requires admin user: 287 if (!function_exists('deleteorder')) { 288 function deleteorder($delid){ 289 global $wpdb; 290 $dtable=$wpdb->prefix.'eshop_orders'; 291 $itable=$wpdb->prefix.'eshop_order_items'; 292 $dltable=$wpdb->prefix.'eshop_download_orders'; 293 $checkid=$wpdb->get_var("Select checkid From $dtable where id='$delid' && status='Deleted'"); . . 392 eshop_admin_mode(); 393 if(isset($_GET['delid']) && !isset($_GET['view'])){ 394 deleteorder($_GET['delid']); From eshop-orders.php, Requires a regular logged in user: The following code allows SQL injection via the unsanitized $view variable. 354 if(isset($_GET['view'])){ 355 $view=$_GET['view']; 356 $status=$wpdb->get_var("Select status From $dtable where id='$view'”); SQL injection points via POST to mark & change: 421 if(isset($_POST['mark']) && !isset($_POST['change'])){ 422 $mark=$_POST['mark']; 423 $checkid=$_POST['checkid']; 424 $query2=$wpdb->get_results("UPDATE $dtable set status='$mark' where checkid='$checkid'"); 425 do_action( 'eshop_order_status_updated', $checkid, $mark ); 426 echo '
'.__('Order status changed successfully.','eshop').'
'; 427 } . . 429 if(isset($_POST['change'])){ 430 if(isset($_POST['move']) && $_POST['move'][0]!=''){ 431 foreach($_POST['move'] as $v=>$ch){ 432 $mark=$_POST['mark']; 433 $query2=$wpdb->get_results("UPDATE $dtable set status='$mark' where checkid='$ch'"); 434 do_action( 'eshop_order_status_updated', $ch,$mark ); CVE-IDs: 2016-0765 2016-0769 Exploit: XSS CVE-2016-0765 SQLI 2016-0769 URL: http://www.vapidlabs.com/advisory.php?v= Media: http://www.vapidlabs.com/m/eshop.png Credit: Larry W. Cashdollar, @_larry0