WordPress.org

Ready to get started?Download WordPress

Forums

User Self Delete
SQL Injection Vulnerability (1 post)

  1. Vladimir Kolesnikov
    Member
    Posted 4 years ago #

    if ($_POST['delete_me'] == "yes") {
          mysql_query("DELETE FROM wp_users WHERE id='".$_POST['user_ID']."'");
          echo '<script type="text/javascript">window.location = "'.get_option('siteurl') . '/wp-login.php"</script>';
        }

    This is stupid as $_POST['user_ID'] is never sanitized and if I pass 1 OR 1 as the ID, the plugin will happily delete ALL users from the database. Is your commercial version that buggy, too?

    The next issue is that the plugin does not use WP API to delete the user — yes, it removes the entry from wp_users table (BTW, the prefix is not guaranteed to be "wp_" and it was stupid to hardcode it) but what about wp_usermeta table? And all other related tables?

    I strongly do NOT recommend to use this plugin.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

  • RSS feed for this topic
  • Started 4 years ago by Vladimir Kolesnikov
  • This topic is not resolved
  • WordPress version: 3.0.4