In view of COVID-19 precaution measures, we remind you that ImmuniWeb Platform allows to easily configure and safely buy online all available solutions in a few clicks.

Total Tests:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime

Your data will stay confidential Private and Confidential

SQL Injection and RCE in WebsiteBaker

Advisory ID:HTB23296
Vendor:WebsiteBaker Org e.V.
Vulnerable Versions:2.8.3-SP5 and probably prior
Tested Version:2.8.3-SP5
Advisory Publication:February 24, 2016 [without technical details]
Vendor Notification:February 24, 2016
Vendor Fix:February 26, 2016
Public Disclosure:March 18, 2016
Latest Update:February 26, 2016
Vulnerability Type:SQL Injection [CWE-89]
CVE Reference:Pending
Risk Level:High
CVSSv2 Base Score:8.1 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H]
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in WebsiteBaker CMS. A remote attacker will be able to read, write or modify arbitrary information in the database, gain complete control over the vulnerable web application and even the entire web server on which the application is hosted.

The vulnerability exists due to insufficient filtration of user-supplied data passed via "language" HTTP POST parameter to "/account/preferences.php" PHP script. A remote authenticated attacker (the registration is open by default) can alter present SQL query, inject and execute arbitrary SQL commands in the application’s database.

Successful exploitation of vulnerability requires that the attacker is registered and authenticated, but the registration is open by default.

The following exploit code will assign administrative privileges to attacker’s account. To reproduce the vulnerability, just login to the website, copy-paste the code below into an empty HTML file and then open it in your browser:

<form action="http://[host]/account/preferences.php" method="post" name="f1">
<input type="hidden" name="display_name" value="username">
<input type="hidden" name="language" value="EN',group_id='1',groups_id='1">
<input type="hidden" name="action" value="details">
<input value="submit" id="btn" type="submit" />

We also attract your attention, that website administrator can edit the "intro.php" file and inject arbitrary PHP code into it using the following URL:


The injected code will be executed every time the user visits the following page:


Giving these circumstances, successful exploitation of SQL injection vulnerability will lead to Remote Code Execution and full compromise not just of the website, but of the entire web server and related environment.

How to Detect SQL Injection Vulnerabilities
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

Update to WebsiteBaker 2.8.3 SP6 RC3.0

More Information:

[1] High-Tech Bridge Advisory HTB23296 - - SQL Injection and RCE in WebsiteBaker
[2] WebsiteBaker - - WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS).
[3] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[5] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
Previous Security Advisories with CWE-89:

HTB23292: SQL Injection in WeBid

HTB23291: SQL Injection in webSPELL

User Comments
Add Comment
3 responses to "SQL Injection and RCE in WebsiteBaker"
user logo
Norbert 2016-03-17 12:43:37 UTC Comment this
There is a Patch available that does not require to upgrade to an unstable
version. Look at

Btw it would be nice to inform the WBCE dev team of issues like that too ,
as we share the same codebase.
user logo
Aldus 2016-04-18 12:59:58 UTC Comment this
Does not effect LEPTON-CMS since 1.3 because of the use of a
preg_match-test for the Language-Field and the leptoken-hashes.
user logo
erpe 2016-04-18 13:55:54 UTC Comment this
Would be nice to inform us in the future too, because we also share lot of core code. Please use contact page..
↑ Back to Top

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
How it Works Ask a Question