Pie Register 2.0.14-2.0.15 - SQL Injection
Description | User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise). |
Proof of Concept |
|
Affects Plugin
fixed in version 2.0.16
|
References
URL | https://research.g0blin.co.uk/g0blin-00040/ |
Classification
Type | SQLI |
OWASP Top 10 | A1: Injection |
CWE | CWE-89 |
Miscellaneous
Submitter | James Hooker |
Submitter Website | https://research.g0blin.co.uk |
Submitter Twitter | g0blinResearch |
Views | 1963 |
Verified | No |
WPVDB ID | 7958 |
Timeline
Publicly Published | 2015-05-04 (almost 4 years ago) |
Added | 2015-05-04 (almost 4 years ago) |
Last Updated | 2015-07-04 (over 3 years ago) |
Copyright & License
Copyright | All data and resources contained within this page and this web site is Copyright © The WPScan Team. |
License | Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us. |