Title: SQL Injection Last modified: September 1, 2016 --- # SQL Injection * Resolved [demon_ru](https://wordpress.org/support/users/demon_ru/) * (@demon_ru) * [9 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-15/) * I think that this plugin is possible to sql injection. url like: /wp-admin/admin- ajax.php?action=cd_ab_the_avatardata&ID=if%29%20UNION%20ALL%20SELECT%20NULL%2CNULL% 2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23&type=user * error log: FastCGI sent in stderr: “,NULL,NULL,NULL#)’ at line 1 в ответ на запрос SELECT id, user_id, field_id, value, last_updated FROM wp_bp_xprofile_data W HERE field_id = 15 AND user_id IN (if) UNION ALL SELECT NULL,NULL,NULL,NULL, NULL,NULL,NULL,NULL#), выполненный do_action(‘wp_ajax_nopriv_cd_ab_the_avatardata’), call_user_func_array, cd_ab_the_avat ardata, cd_ab_get_the_userdata, xprofile_get_field_data, BP_XProfile_ProfileData::get_value_byid” * plugin was disabled. * [https://wordpress.org/plugins/cd-bp-avatar-bubble/](https://wordpress.org/plugins/cd-bp-avatar-bubble/) Viewing 2 replies - 1 through 2 (of 2 total) * Thread Starter [demon_ru](https://wordpress.org/support/users/demon_ru/) * (@demon_ru) * [9 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-15/#post-7526618) * It’s BUG in buddypress: BP_XProfile_ProfileData::get_value_byid * where is no “wp_parse_id_list” and esc_sql * Plugin Author [Slava Abakumov](https://wordpress.org/support/users/slaffik/) * (@slaffik) * [9 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-15/#post-7526747) * Seems you already contacted security team, thanks! Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘SQL Injection’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/cd-bp-avatar-bubble_6c6c6c.svg) * [BuddyPress Avatar Bubble](https://wordpress.org/plugins/cd-bp-avatar-bubble/) * [Frequently Asked Questions](https://wordpress.org/plugins/cd-bp-avatar-bubble/#faq) * [Support Threads](https://wordpress.org/support/plugin/cd-bp-avatar-bubble/) * [Active Topics](https://wordpress.org/support/plugin/cd-bp-avatar-bubble/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/cd-bp-avatar-bubble/unresolved/) * [Reviews](https://wordpress.org/support/plugin/cd-bp-avatar-bubble/reviews/) * 2 replies * 2 participants * Last reply from: [Slava Abakumov](https://wordpress.org/support/users/slaffik/) * Last activity: [9 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-15/#post-7526747) * Status: resolved