Support » Plugin: Google Photos Gallery with Shortcodes » SQL Injection attacks on this plugin (from Ukraine)

  • Resolved Argentum

    (@argentum)


    Hi,
    Wordfence is reporting about a massive attack on my site, aimed at your plugin. Here is just a few. I hope you have coded it with high security in mind. Wordfence blocked it …

    
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL,NULL#
    februari 12, 2019 6:18e m  176.121.14.187 (Ukraine)     Blocked for SQL Injection in query string: cws_album=6443291289520223505%' UNION ALL SELECT NULL#
    
    • This topic was modified 4 months, 1 week ago by  .
Viewing 1 replies (of 1 total)
  • Plugin Author nakunakifi

    (@nakunakifi)

    Hi @argentum

    Yes the plugin is developed with security in mind.

    It looks more like it will have effected your site more like DDOS.

    The cws_album id from url is sanitised and is not even written into a database it is used to query Google API.

    Also, for future reference, pasting suspected hack attacks into a public forum is not a sensible thing to do.

    Thanks

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.