WordPress.org

Ready to get started?Download WordPress

Forums

Subscribe2
[resolved] SQL injection vulnerabilities (3 posts)

  1. holizz
    Member
    Posted 2 years ago #

    We found at least one error in our logs because unescaped data was being inserted into an SQL statement (we didn't exploit it, that's left as an exercise for the reader). Here's a patch against v8.3 that should hopefully prevent SQL injection attacks or accidents:

    https://gist.github.com/2954136

    I haven't thoroughly tested it, but it's a bit less vulnerable at least.

    Thanks,
    Tom Adams
    dxw

    http://wordpress.org/extend/plugins/subscribe2/

  2. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    Tom / holizz,

    Thanks for taking the time to make a code submission. I'll get patching and testing.

  3. mattyrob
    Member
    Plugin Contributor

    Posted 2 years ago #

    @Tom / holizz,

    I've added some comments to the github code - I'm testing the changes now but some of the patched code doesn't fly in PHP 5.2.x so it needed amending. If you get chance have a look and see if you think the changes are okay.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic