WordPress Flexi Quote Rotator plugin multiple vulnerabilities

Advisory
Secunia Advisory SA 49910

Analysis
The admin interface of the Flexi Quote Rotator plugin for WordPress implements a way for editing a quote through the displayManagementPage function in /classes/quote-rotator-management.class.php.

It does so by checking the action GET parameter first. If it is “edit”, it will then concatenate the “id” GET parameter into a SQL query, and write the result out to the page. But because it does not correctly sanitize the “id” GET parameter, which causes a SQL injection. Also, this piece of code can be invoked without a nonce, which causes a CSRF vulnerability. Additionally, while it output-encodes the author and quote column, it does not encode the ID. This means we have two options for exploiting these 3 vulnerabilities:

  • Chaining the SQL Injection and the XSS in order to execute javascript in the admins browser
  • Chaining the SQL Injection and the CSRF in order to execute arbitrary SQL blindly

Here is an example of the former, where we trick the admin user into clicking on our specially crafted URL:

The hex value that we use in order to bypass the magic quotes which WordPress enforces was generated this way:

One comment

Leave a Reply