Sirv <= 1.3.1 - Authenticated SQL Injection
Description | $_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user. $id = $_POST['row_id']; $row = $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A); $row['images'] = unserialize($row['images']); echo json_encode($row); |
Proof of Concept |
|
Affects Plugin
fixed in version 1.3.2
|
References
EXPLOITDB | 40772 |
URL | http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/ |
Classification
Type | SQLI |
OWASP Top 10 | A1: Injection |
CWE | CWE-89 |
Miscellaneous
Submitter | Lenon Leite |
Submitter Website | http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/ |
Submitter Twitter | lenonleite |
Views | 1864 |
Verified | No |
WPVDB ID | 8673 |
Timeline
Publicly Published | 2016-11-10 (over 2 years ago) |
Added | 2016-11-21 (about 2 years ago) |
Last Updated | 2016-11-21 (about 2 years ago) |
Copyright & License
Copyright | All data and resources contained within this page and this web site is Copyright © The WPScan Team. |
License | Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us. |