During an evaluation of the Wordpress Plugin SP Project & Document manager I discovered several vulnerabilities. They are also examples of classical OWASP vulnerabilities that are oh so well known but still present in far too many applications. The plugin is used by thousands of Wordpress sites and the developer Smartypantsplugins is even offering commercial services around that plugin. So there is (was) quite a number of Google Dorks that could be found easily.
Several SQL injections have been known in version 2.4.1 but have been fixed in between. Interestingly, at least two of them reappeared and are present again in version 126.96.36.199:
The injections in the
and the POST-Parameter
are vulnerable. Have a look here for the original information on this.
Both injections can be exploited easily by sqlmap:
sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql
sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/ajax.php?function=email-vendor" --data="vendor_email=0) OR (1=1 *" --dbms mysql
2. Arbitrary code executions
Registered users can upload PHP files (
*.php5 etc.) and execute them via a GET request to their specific location in the default upload path (which can vary depending on the configuration of the plugin). The URL to uploaded files typically looks like
1 is the user id of the user who uploaded the file and the last part of the URL is the filename. So its easy to guess if the admin sticks to the default configuration.
Interestingly, files can even be accessed directly if the option “Require Login to Download” is checked in the plugin configuration. So theres a false sense of security given here.
3. Information leakage
Information about uploaded files can be retrieved by non-logged in users via a call to admin/ajax.php:
Specifically you can retrieve info about the upload user id and filename to determine the URL for direct access to the file (see 3).
4. XSS Vulnerability
This is another classic and you don’t even need a fancy vector here. The (non-persistent) vulnerability can be found in the admin/ajax.php file for function=email-vendor. This is the request-response delivered to and from the app:
Mitigation and vendor response
Most of these issues have been fixed in the meantime and before I disclosed this information to the public. Though the vendor did not react after my first message to him, he published a fix some weeks after I reported this issue to the Wordpress security team.
EDIT: It was brought to my attention that the file upload vulnerability (issue 2) still persists! So please check yourself if this is the case in newer versions. And if yes, stay away from this plugin.
The information about this vulnerability appeared on Bugtraq.