CVE-2013-7242

Step 1: Authentication: The attacker must first authenticate as an administrator within the Zenphoto CMS.

Step 2: Payload Delivery: The attacker crafts a malicious tableprefix value containing a SQL injection payload. This payload is designed to execute arbitrary SQL commands.

Step 3: Request Submission: The attacker submits the crafted tableprefix through a specially crafted HTTP request to the wordpress_import.php script.

Step 4: Query Construction: The vulnerable script constructs a SQL query using the attacker-supplied tableprefix without proper sanitization.

Step 5: Query Execution: The database server executes the injected SQL commands embedded within the tableprefix value.

Step 6: Exploitation: The attacker leverages the executed SQL commands to achieve their objectives, such as data exfiltration, user account creation, or remote code execution (RCE) if the database server allows it.

The vulnerability stems from insufficient input validation of the tableprefix parameter within the zp-core/zp-extensions/wordpress_import.php file. Specifically, the code fails to properly sanitize user-supplied input before incorporating it into SQL queries. This allows an authenticated administrator to craft a malicious tableprefix value containing SQL commands. When the script processes this input, the injected SQL commands are executed by the database server, leading to unauthorized access and control. The root cause is a lack of parameterized queries or proper escaping of user-provided data within the SQL query construction process.