Uber: SQLi in love.uber.com

ID H1:125181
Type hackerone
Reporter laps-forever
Modified 2016-04-25T17:33:27


@iad found an SQL Injection vulnerability in one of our Wordpress blog's plugins (the website being love.uber.com). This blog was hosted at WPEngine and did not contain any of our user's information. However due to our previously vague bug bounty rules we decided to reward the maximum of 3,000$ since we were not previously clear that these were maximums. Opting for limited disclosure as password hashes are disclosed in the report which we need to ensure have been rotated properly. Vulnerability was found in WPML module. Kudos to Jouko Pynnönen, who found this bug in WPML module ( https://klikki.fi/adv/wpml.html )