lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 11 Jul 2013 02:58:44 +0300
From: Henri Salo <>
Subject: Re: Wordpress wp-private-messages Plugin Sql Injection vulnerability

On Sat, Jun 29, 2013 at 03:02:37PM +0000, wrote:
> # Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability
> # Software Link :
> #[Sql]

Could not reproduce. Could you give us working PoC, thanks. I get error "Hack
Attempt: You don't allowed to reply this message!"

327 function wpu_reply_pm() {
328     global $current_user, $wpdb, $wpulang;
329     $msgid = $_GET["msgid"];
330     if(!$msgid || $msgid == "") { echo "Error while messaging!"; return; }
331     $pm = $wpdb->get_row("SELECT * FROM $wpdb->prefix".private_messages." WHERE id = $msgid", ARRAY_A);
333     if($pm['rcpid'] != $current_user->ID) { echo "<p>".__('Hack Attempt: You don\'t allowed to reply this message!', $wpulang)."</p>"; return; }

I tested with version 1.0.1

> # Dem0 :
> #[Sql]
> #[Sql]

Live sites as demo to SQL injection behind WordPress login, err what?

Also please note: This plugin hasn't been updated in over 2 years. It may no
longer be maintained or supported and may have compatibility issues when used
with more recent versions of WordPress.

Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists