WordPress.org

Support

Support » Plugins and Hacks » [Plugin: User Self Delete] SQL Injection Vulnerability

[Plugin: User Self Delete] SQL Injection Vulnerability

  • Vladimir Kolesnikov
    Member

    @vladimir_kolesnikov

    if ($_POST['delete_me'] == "yes") {
          mysql_query("DELETE FROM wp_users WHERE id='".$_POST['user_ID']."'");
          echo '<script type="text/javascript">window.location = "'.get_option('siteurl') . '/wp-login.php"</script>';
        }

    This is stupid as $_POST[‘user_ID’] is never sanitized and if I pass 1 OR 1 as the ID, the plugin will happily delete ALL users from the database. Is your commercial version that buggy, too?

    The next issue is that the plugin does not use WP API to delete the user — yes, it removes the entry from wp_users table (BTW, the prefix is not guaranteed to be “wp_” and it was stupid to hardcode it) but what about wp_usermeta table? And all other related tables?

    I strongly do NOT recommend to use this plugin.

  • The topic ‘[Plugin: User Self Delete] SQL Injection Vulnerability’ is closed to new replies.