Support » Plugin: WP Athletics » SQL injection vulerability

  • In wp-athletics-db.php, line 1937 (get_events_for_year), there is an obvious SQL injection vector.
    Essentially, using $data[‘year’] completely unsanitised in an SQL statement.
    The SQL should ideally be converted into a prepared statement, but a simple fix would be to sanitise $data[‘year’] before using it.

    PoC (javascript) – note the ‘; #’ in the year parameter:
    WPA.Ajax.getEvents({year: ‘2017 ORDER by e.date DESC; #’}, function(result) {
    if(result && result.results) {
    WPA.Events.printEvents(result.results);
    }
    });

  • The topic ‘SQL injection vulerability’ is closed to new replies.