Faille de sécurité dans un plugin de WordPress, WP-Forum
Weblog Tools Collection nous apprend que le plugin WP-Forum contient une faille de sécurité (SQL injection).
Voilà la description de Secunia :
websec Team have discovered a vulnerability in the WP-Forum plugin for WordPress, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation allows e.g. retrieving usernames, password hashes, and e-mail addresses for all users and administrators, but requires knowledge of the database table prefix.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.