The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability.
#################################
Iranian Exploit DataBase
#################################
Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability
Author : Iranian Exploit DataBase
Discovered By : IeDb
Security Risk : High
Tested on : Linux
#################################
Exploit :
Dem0 :
#################################
Vuln Source C0de :
Lin 145 :
$messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC");
And Lin 160 :
echo "<a href=\"?page=".dirname(plugin_basename(FILE))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(FILE))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>";
#################################
#################################