[Plugin: User Self Delete] SQL Injection Vulnerability | WordPress.org

Vladimir Kolesnikov
(@vladimir_kolesnikov)

13 years, 3 months ago
```
if ($_POST['delete_me'] == "yes") {
      mysql_query("DELETE FROM wp_users WHERE id='".$_POST['user_ID']."'");
      echo '<script type="text/javascript">window.location = "'.get_option('siteurl') . '/wp-login.php"</script>';
    }
```
This is stupid as $_POST[‘user_ID’] is never sanitized and if I pass 1 OR 1 as the ID, the plugin will happily delete ALL users from the database. Is your commercial version that buggy, too?

The next issue is that the plugin does not use WP API to delete the user — yes, it removes the entry from wp_users table (BTW, the prefix is not guaranteed to be “wp_” and it was stupid to hardcode it) but what about wp_usermeta table? And all other related tables?

I strongly do NOT recommend to use this plugin.

The topic ‘[Plugin: User Self Delete] SQL Injection Vulnerability’ is closed to new replies.

Tags

sql injection

In: Plugins
0 replies
1 participant
Last reply from: Vladimir Kolesnikov
Last activity: 13 years, 3 months ago
Status: not resolved