WordPress Users Ultra Plugin 1.5.50 - Blind SQL 注入

在users-ultra插件的xooclasses/xoo.userultra.photos.php文件中有如下代码： ``` public function edit_video_confirm () { global $wpdb, $xoouserultra; require_once(ABSPATH . 'wp-includes/formatting.php'); $user_id = get_current_user_id(); $video_id = $_POST["video_id"]; //video_id 直接从POST取值 $video_name = sanitize_text_field($_POST["video_name"]); $video_unique_id = sanitize_text_field($_POST["video_unique_id"]); $video_type = sanitize_text_field($_POST["video_type"]); if($video_id!="") { $query = "UPDATE " . $wpdb->prefix ."usersultra_videos SET `video_name` = '$video_name', `video_unique_vid` = '$video_unique_id' , `video_type` = '$video_type' WHERE `video_id` = '$video_id' AND `video_user_id` = '$user_id' "; // where 子语句可以存在注入 $wpdb->query( $query ); } die(); } ``` 该函数 可以清楚的看到post的数据中video_id未进行任何过滤即进入查询 ``` 在js/expandible.js文件中有如下操作 //edit video jQuery(document).on("click", "a[href='#resp_edit_video']", function(e) { e.preventDefault(); var video_id = jQuery(this).attr("data-id"); jQuery.ajax({ type: 'POST', url: ajaxurl, data: {"action": "edit_video", "video_id": video_id }, success: function(data){ jQuery("#video-edit-div-"+video_id).html(data); jQuery( "#video-edit-div-"+video_id ).slideDown(); } }); ``` 可以进行注入。