WordPress Comment Rating plug-in SQL injection and Security Bypass

Release date:
Updated on:

Affected Systems:
WordPress Comment Rating Plugin 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58201

WordPress Comment Rating can add a 5-star Comment field to the Comment Form of WordPress, so that users can submit comments for Rating at the same time.

Comment Rating 2.9.32 does not correctly verify the voting request, resulting in multiple votes on one Comment. After "id" is set to valid comment id, "action" is set to "add" or "subtract", and "path" is set, /wp-content/plugins/comment-rating/ck-processkarma.php's "X-Forwarded-For" HTTP packet header domain, which allows attackers to insert arbitrary SQL code to manipulate SQL queries.

<* Source: ebanyu

Link: http://secunia.com/advisories/52348/
Http://www.exploit-db.com/exploits/24552/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http://www.example.com/wordpress/wp-content/plugins/comment-rating/ck-processkarma.php

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://wordpress.org/extend/plugins/comment-rating-field-plugin/