Support » Plugin: User Self Delete » [Plugin: User Self Delete] SQL Injection Vulnerability

  • if ($_POST['delete_me'] == "yes") {
          mysql_query("DELETE FROM wp_users WHERE id='".$_POST['user_ID']."'");
          echo '<script type="text/javascript">window.location = "'.get_option('siteurl') . '/wp-login.php"</script>';

    This is stupid as $_POST[‘user_ID’] is never sanitized and if I pass 1 OR 1 as the ID, the plugin will happily delete ALL users from the database. Is your commercial version that buggy, too?

    The next issue is that the plugin does not use WP API to delete the user — yes, it removes the entry from wp_users table (BTW, the prefix is not guaranteed to be “wp_” and it was stupid to hardcode it) but what about wp_usermeta table? And all other related tables?

    I strongly do NOT recommend to use this plugin.

  • The topic ‘[Plugin: User Self Delete] SQL Injection Vulnerability’ is closed to new replies.