Title: [Plugin: Search Light] Potential for SQL Attacks Last modified: August 20, 2016 --- # [Plugin: Search Light] Potential for SQL Attacks * [lachlan.mcdonald](https://wordpress.org/support/users/lachlanmcdonald/) * (@lachlanmcdonald) * [14 years, 5 months ago](https://wordpress.org/support/topic/plugin-search-light-sql-exploit/) * Perhaps I have missed something; but there doesn’t seem to be any kind of input sanitisation going on. If you look at the `itsas_sqlWhere()` and `itsas_search()` functions, it seems that the SQL queries are being constructed WITHOUT any safe- guards against SQL injection attacks. * No where is `$wpdb->prepare()` or `mysql_real_escape_string()` called. If no sanitisation is present, this represents a massive security problem for the plugin users. * [http://wordpress.org/extend/plugins/search-light/](http://wordpress.org/extend/plugins/search-light/) Viewing 3 replies - 1 through 3 (of 3 total) * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [14 years, 5 months ago](https://wordpress.org/support/topic/plugin-search-light-sql-exploit/#post-2362911) * Thanks – I’ve closed the plugin so the author – who I will notify – can investigate. It will be back when it is okay. * [Sabinou](https://wordpress.org/support/users/sabinou1/) * (@sabinou1) * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-search-light-sql-exploit/#post-2363233) * Dang, so that’s why the plugin’s page is gone. Can’t blame you. * WordPress.org needs a “this plugin has been taken down because…” clause, I’m serious about it 🙁 * Edit : just found the Shortcoder plugin, because of an xss issue, has been temporarily removed until a new version is issued. I’ll insist again : the wordpress project NEEDS a special page to tell a plugin has been taken down, even if no reason is provided (providing one would be much better, of course, but it would be more work), treating plugins as if they never existed is definitely the wrong way. * [Sabinou](https://wordpress.org/support/users/sabinou1/) * (@sabinou1) * [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-search-light-sql-exploit/#post-2363234) * Please, I’m asking just in case, since the plugin’s dev did nothing in 3 months and his latest blog post regarding the plugin is OOOOOOOOLD… * Is it allowed to submit a fixed version of the code, or something like that ? Is forking recommended instead, or is it downright forbidden ? Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘[Plugin: Search Light] Potential for SQL Attacks’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/search-light.svg) * [Search Light](https://wordpress.org/plugins/search-light/) * [Frequently Asked Questions](https://wordpress.org/plugins/search-light/#faq) * [Support Threads](https://wordpress.org/support/plugin/search-light/) * [Active Topics](https://wordpress.org/support/plugin/search-light/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/search-light/unresolved/) * [Reviews](https://wordpress.org/support/plugin/search-light/reviews/) * 3 replies * 3 participants * Last reply from: [Sabinou](https://wordpress.org/support/users/sabinou1/) * Last activity: [14 years, 1 month ago](https://wordpress.org/support/topic/plugin-search-light-sql-exploit/#post-2363234) * Status: not resolved