Recently reported by Claudio Viviani, there is an SQL Injection available in this plugin who has been downloaded more than 100k. Developped by Apptha (again), the current version 2.7 still vulnerable and downloadable from the official Wordpress Plugin Directory.

The hole comes from the lack of filter on the GET parameter vid in /wp-content/plugins/contus-video-gallery/videogalleryrss.php (the plugin must be enable to perform the injection):

case 'video':
  $thumbImageorder = 'w.vid ASC';
  $vid             = filter_input(INPUT_GET,'vid');
  $where           = 'AND w.vid ='.$vid;
  $TypeOFvideos    = $contusOBJ->home_thumbdata( $thumbImageorder , $where , $dataLimit );
break;

Since there is no filter specified when calling filter_input, the default value is used which is unsafe_raw. According to the PHP documentation, FILTER_UNSAFE_RAW deletes chars under 32 and over 127 and converts & to &.

Of course, it’s not enough to protect the query crafted in /wp-content/plugins/contus-video-gallery/front/models/videohome.php:

$query = 'SELECT distinct w.*,s.guid,s.ID,p.playlist_name,p.pid,p.playlist_slugname FROM ' . $this->_videoinfotable . ' w
LEFT JOIN ' . $this->_wpdb->prefix . 'hdflvvideoshare_med2play m ON m.media_id = w.vid
LEFT JOIN ' . $this->_wpdb->prefix . 'hdflvvideoshare_playlist p ON p.pid=m.playlist_id
LEFT JOIN ' . $this->_wpdb->prefix . 'posts s ON s.ID=w.slug
WHERE w.publish=1 AND p.is_publish=1 ' . $where . ' GROUP BY w.vid ORDER BY ' . $thumImageorder . ' LIMIT ' . $dataLimit;

Rendered as:

SELECT distinct w.*,s.guid,s.ID,p.playlist_name,p.pid,p.playlist_slugname FROM wp_hdflvvideoshare w
LEFT JOIN wp_hdflvvideoshare_med2play m ON m.media_id = w.vid
LEFT JOIN wp_hdflvvideoshare_playlist p ON p.pid=m.playlist_id
LEFT JOIN wp_posts s ON s.ID=w.slug
WHERE w.publish=1 AND p.is_publish=1 AND w.vid =234 GROUP BY w.vid ORDER BY w.vid ASC LIMIT 1000

Here is the POC:

wordpress video gallery sqli

Remember that it’s not the first time that Apptha released a plugin with major vulnerability. Months ago HD FLV Player was concerned.