SQL Injection Vulnerability

  • Is there any truth to this claim about the Toolbox theme? https://osvdb.org/show/osvdb/88293

    It claims:
    “Toolbox Theme for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /wp-content/Themes/toolbox/include/flyer.php script not properly sanitizing user-supplied input to the ‘mls’ parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.”

    Can anyone elaborate on this, whether it’s been fixed, or how one can patch it?

Viewing 1 replies (of 1 total)

  • I’m not sure where this is coming from, but if you download the theme you’ll find that there is no /include/flyer.php file in the package.

    For future reference: If you happen to find a security vulnerability in one of our services, we would appreciate letting us know before disclosing the issue publicly at:
    https://automattic.com/security/

    Thanks!

Viewing 1 replies (of 1 total)
  • The topic ‘SQL Injection Vulnerability’ is closed to new replies.