Title: SQL Injection vulnerability
Last modified: December 23, 2023

---

# SQL Injection vulnerability

 *  Resolved [spiralofhope](https://wordpress.org/support/users/spiralofhope2/)
 * (@spiralofhope2)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/)
 * WordPress Pre* Party Resource Hints Plugin <= 1.8.18 is vulnerable to SQL Injection
   
   [https://patchstack.com/database/vulnerability/pre-party-browser-hints/wordpress-pre-party-resource-hints-plugin-1-8-18-sql-injection-vulnerability?_a_id=110](https://patchstack.com/database/vulnerability/pre-party-browser-hints/wordpress-pre-party-resource-hints-plugin-1-8-18-sql-injection-vulnerability?_a_id=110)

Viewing 12 replies - 1 through 12 (of 12 total)

 *  [Azrael3000](https://wordpress.org/support/users/azrael3000/)
 * (@azrael3000)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17321077)
 * Any update on an upcoming patched version?
 *  [Konstantinos Galanakis](https://wordpress.org/support/users/kg10up/)
 * (@kg10up)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17325360)
 * Hello.
 * Thank you for this great plugin. Are there any updates planned to fix this?
 * Looking forward to hearing from you.
 *  Plugin Author [Sam Perrow](https://wordpress.org/support/users/samperrow/)
 * (@samperrow)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17325499)
 * The link posted above doesn’t say anything specific about where the supposed 
   vulnerability is, or how it can be reproduced. Without that information, how 
   am I supposed to begin fixing it?
 *  [darlanoliveira](https://wordpress.org/support/users/darlanoliveira/)
 * (@darlanoliveira)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17326077)
 * o plugin de segurança **Wordfence Security** notificou esta vulnerabilidade e
   está recomendando desativar o seu plugin até a correção, tem alguma previsão 
   de correção desta falha?
   “SQL Injection vulnerability”Edit: link para do wordfence
   [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pre-party-browser-hints/pre-party-resource-hints-1818-authenticatedadministrator-sql-injection](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pre-party-browser-hints/pre-party-resource-hints-1818-authenticatedadministrator-sql-injection)
    -  This reply was modified 2 years, 3 months ago by [Yui](https://wordpress.org/support/users/fierevere/).
    -  This reply was modified 2 years, 3 months ago by [darlanoliveira](https://wordpress.org/support/users/darlanoliveira/).
 *  [Azrael3000](https://wordpress.org/support/users/azrael3000/)
 * (@azrael3000)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17326134)
 * I had received this report from Wordfence:
 * [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pre-party-browser-hints/pre-party-resource-hints-1818-authenticatedadministrator-sql-injection](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pre-party-browser-hints/pre-party-resource-hints-1818-authenticatedadministrator-sql-injection)
 *  [Konstantinos Galanakis](https://wordpress.org/support/users/kg10up/)
 * (@kg10up)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17328335)
 * Hello Sam,
 * If the Wordfence link does not provide enough information to help you identify
   the vulnerability you can always contact the researcher to help you identify 
   the place you will need to patch.
 * Here is his personal website with contact info [https://daffa.info/](https://daffa.info/)
 * Thank you
 *  [Step By Step 3D](https://wordpress.org/support/users/welchwerks/)
 * (@welchwerks)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17331077)
 * Hi Sam.
   Wanted to pass along that wpengine is reporting the same. I dont have
   anymore information about the issue other then what they post here:Hope it helps
   in some way.
 * Pre* Party Resource Hints 1.8.18
    - Security risk:  sqli.  The plugin contains a vulnerability wherein unauthenticated
      visitors could inject SQL statements into WordPress. SQL injection could allow
      an attacker to gain control of your site. Severity: medium Fixed in: no fix
      yet
 *  -  This reply was modified 2 years, 3 months ago by [Step By Step 3D](https://wordpress.org/support/users/welchwerks/).
    -  This reply was modified 2 years, 3 months ago by [Step By Step 3D](https://wordpress.org/support/users/welchwerks/).
    -  This reply was modified 2 years, 3 months ago by [Step By Step 3D](https://wordpress.org/support/users/welchwerks/).
 *  [Anthony Thorne](https://wordpress.org/support/users/anthonythorne/)
 * (@anthonythorne)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17331092)
 * Hello Sam (Plugin Author),
 * Thank you for your input and the valuable references shared by previous contributors,
   including the links to Patchstack and the reports by Muhammad Daffa. After reviewing
   Muhammad’s history of reporting, I’ve noticed a recurring theme of SQL Injection
   vulnerabilities.
 * Having examined some of these reports in relation to your current plugin version,
   I suggest focusing on the file located at `plugins/pre-party-browser-hints/includes/
   common/DAO.php`, specifically in the `get_admin_hints_query` method, at line 
   140: `" ORDER BY $order_by $order"`. It appears that this section could benefit
   from an update, possibly along the lines of what follows.
 *     ```wp-block-code
       $order_by_sql = sanitize_sql_orderby( "{$order_by} {$order}" );
       $new_query['sql'] .= " ORDER BY $order_by_sql";
       ```
   
 * Kind Regards,
 *  Plugin Author [Sam Perrow](https://wordpress.org/support/users/samperrow/)
 * (@samperrow)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/#post-17341014)
 * this issue has been fixed with 1.8.19
 *  [Anthony Thorne](https://wordpress.org/support/users/anthonythorne/)
 * (@anthonythorne)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/page/2/#post-17349008)
 * Hi Sam,
   This patch does not appear to have fixed the issue.[https://patchstack.com/database/vulnerability/pre-party-browser-hints](https://patchstack.com/database/vulnerability/pre-party-browser-hints)
   The vulnerability appears to be still present. The link above was last updated
   with the latest release 1.8.19 and still states
 * Vulnerability history ⌊Not fixed⌉1 present ⌊Fixed⌉0 patched
 * I’m not 100% sure this is it, but it might be worth looking at the comment I 
   made last week to see if `sanitize_sql_orderby` sanitizing the order and order
   by variables helps.
   It might be best to reach out to the reporter to see if they
   can provide more information [Muhammad Daffa](https://patchstack.com/database/researcher/9978374f-fb8b-4f96-be73-7a74d79c2b84).
   Alternatively, Patchstack may be able to shed some light on it [triage@patchstack.com](https://wordpress.org/support/topic/sql-injection-vulnerability-16/triage@patchstack.com?output_format=md).
   Kind Regards,
    -  This reply was modified 2 years, 3 months ago by [Anthony Thorne](https://wordpress.org/support/users/anthonythorne/).
 *  [Azrael3000](https://wordpress.org/support/users/azrael3000/)
 * (@azrael3000)
 * [2 years, 3 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/page/2/#post-17350754)
 * The Wordfence listing for this vulnerability still says it hasn’t been patched
   as well:
 * [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pre-party-browser-hints/pre-party-resource-hints-1818-authenticatedadministrator-sql-injection](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pre-party-browser-hints/pre-party-resource-hints-1818-authenticatedadministrator-sql-injection)
 *  [Azrael3000](https://wordpress.org/support/users/azrael3000/)
 * (@azrael3000)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/page/2/#post-17363921)
 * This thread was marked as resolved, but the issue still persists.
 * Can we get an update on when a confirmed patched version will be made available?

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘SQL Injection vulnerability’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/pre-party-browser-hints_7b3960.svg)
 * [Pre* Party Resource Hints](https://wordpress.org/plugins/pre-party-browser-hints/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/pre-party-browser-hints/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/pre-party-browser-hints/)
 * [Active Topics](https://wordpress.org/support/plugin/pre-party-browser-hints/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/pre-party-browser-hints/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/pre-party-browser-hints/reviews/)

 * 20 replies
 * 7 participants
 * Last reply from: [Azrael3000](https://wordpress.org/support/users/azrael3000/)
 * Last activity: [2 years, 2 months ago](https://wordpress.org/support/topic/sql-injection-vulnerability-16/page/2/#post-17363921)
 * Status: resolved