wp_ajax_save_item() is accessible for every registered user (admin privileges are not checked).
is_id_exist() in which
$id is not escaped properly.
$id is also not escaped inside
get_item_data() but those places are not accessible for non-admin users.
What is more
$_REQUEST['itemid'] can be also used for reflected XSS.
Proof of Concept:
Login as standard user (created using wp-login.php?action=register) then:
This sql will check if first password character user ID=1 is “$”.
If yes it will sleep 5 seconds.
For XSS use:
It will be visible on every page where shortcode
wonderplugin_audio is used and also in admin panel:
Another Blind SQL payloads which will work only for users with admin privileges:
For reflected XSS use:
- 20-01-2015: Discovered
- 20-01-2015: Vendor notified
- 21-01-2015: Version 2.1 released, issue resolved