Possible Plugin vulnerability | WordPress.org

Resolved treecutter
(@treecutter)

6 years, 5 months ago

Hi Sudar

Wordpress just released 4.8.3 to plug a SQL injection vulnerability.

Here is the blog by the security researcher who seems to have found the vulnerability :
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html?source=wordfence

At the bottom of the blog a contributor has commented :

If you want to know if any plugin or theme will may have any trouble you can use the following commands: grep -r ‘$wpdb->prepare’ . | grep ‘$_POST’ grep -r ‘$wpdb->prepare’ . | grep ‘$_GET’ grep -r ‘$wpdb->prepare’ . | grep ‘esc_sql’.

Running the above returns the $wpdb->prepare statement in the code for your Email Log plugin

Just thought you might want to look at this, hope it helps, many thanks

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Sudar Muthu
(@sudar)

6 years, 5 months ago

Thanks for reporting this. I am looking into it right away to see if it needs a fix.

Plugin Author Sudar Muthu
(@sudar)

6 years, 5 months ago

I have gone through the code and verified that this vulnerability doesn’t affect Email Log plugin.

Thanks again for sharing the original article.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Possible Plugin vulnerability’ is closed to new replies.

In: Plugins
2 replies
2 participants
Last reply from: Sudar Muthu
Last activity: 6 years, 5 months ago
Status: resolved