• Resolved Anthony Thorne

    (@anthonythorne)


    Hello Sam,

    I hope this message finds you well. I wanted to draw your attention to a potential SQL injection vulnerability in your plugin, as detailed in this support thread: www.ads-software.com Support Topic (which was mistakenly closed as resolved) and the Patchstack database here. Despite the latest patch (version 1.8.19), the issue seems unresolved, with Patchstack still indicating “1 present, 0 patched” under the vulnerability history.

    I recommend revisiting my previous comment from two weeks ago, where I suggested using sanitize_sql_orderby for sanitizing the ‘order’ and ‘order by’ variables. This can be located in plugins/pre-party-browser-hints/includes/common/DAO.php, specifically in the?get_admin_hints_query?method, looking for " ORDER BY $order_by $order"This could potentially address the issue.

    Furthermore, it might be prudent to contact Muhammad Daffa, the original reporter of the vulnerability, for more detailed information. You can also reach out to Patchstack at [email protected] for further assistance.

    Thank you for your attention to this matter.

    Kind Regards,

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Vulnerable to SQL Injection’ is closed to new replies.