Possible SQL Injection warning?

  • Resolved majdawoocomm

    (@majdawoocomm)


    7 years, 3 months ago

    Hi,

    Today we installed your plugin, in order to test it on our test site. We are also using Plugin Security Scanner plugin (https://wordpress.org/plugins/plugin-security-scanner/) and, after scanning only your plugin ended as vulnerable. This is what is displayed:

    amazon-product-in-a-post.php – this plugin takes raw user values and uses it delete from the database. This query can be manipulated to perform SQL injection attacks.

    Line 40:
    $tempswe = $wpdb->query(“DELETE FROM {$wpdb->prefix}amazoncache WHERE Cache_id ='{$wp->query_vars[‘appip-cache-id’]}’ LIMIT 1;”);

    Any thoughts? Thanks,
    Majda

Viewing 2 replies - 1 through 2 (of 2 total)
  • Don Fischer

    (@prophecy2040)

    7 years, 3 months ago

    Hi Majda,
    That vulnerability was patched way back in version 3.5.3 (over 15 versions and several years ago).

    So that means that either the scanner’s database is very out of date or you are using a very old version of the plugin. Please make sure you are using the latest version 4.0.3.3, if possible, to ensure you have all the latest bug and security fixes.

    Thread Starter majdawoocomm

    (@majdawoocomm)

    7 years, 3 months ago

    Hi Don, thank you so much for your fast response.

    We were using all the latest plugin versions (yours and scanning plugin), but I guess it is due to that scanning plugin, it also said that your plugin hasn’t been updated from the year 2015, what made us suspicious, but we needed to check with you, just in case.

    Thank you for everything!

    Best,
    Majda

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Possible SQL Injection warning?’ is closed to new replies.