IMPORTANT FOR THE DEVELOPER – SECURITY EXPLOIT | WordPress.org

Resolved Jon taylor
(@jon-taylor)

11 years, 5 months ago

An exploit has been discovered. I have been running this version of the plugin and have been hacked twice in as many weeks. I have gone through my logs and found the source of the exploit is via the marker_listings.xml

After a quick search on Google, I found this.

http://dl.packetstormsecurity.net/1211-exploits/wpfirestormrealestate-sql.txt

Hope thats of some help in getting this hole plugged up.

http://wordpress.org/extend/plugins/fs-real-estate-plugin/

Viewing 1 replies (of 1 total)

Plugin Author FireStorm Plugins
(@wfernley)

11 years, 5 months ago

Hello, what version were you running when you were hacked? Have you upgraded to the latest version?

The link says this exploit is for version 2.06.08 however I don’t see how this is possible. That version includes a check (which is also displayed on that link) that checks to make sure the ID is numeric. If they try to inject any text to exploit/hack your website, it stops the page from loading as a security feature. There is also a secondary check to watch for any SQL injections in the plugin where the user tries to access the wp_users cell.

In a nutshell, if running version 2.06.08, this hack should not work.

Hope that helps!

Wes

Viewing 1 replies (of 1 total)

The topic ‘IMPORTANT FOR THE DEVELOPER – SECURITY EXPLOIT’ is closed to new replies.

In: Plugins
1 reply
2 participants
Last reply from: FireStorm Plugins
Last activity: 11 years, 5 months ago
Status: resolved