WordPress.org

Forums

Toolbox
SQL Injection Vulnerability (2 posts)

  1. computercourage
    Member
    Posted 2 years ago #

    Is there any truth to this claim about the Toolbox theme? http://osvdb.org/show/osvdb/88293

    It claims:
    "Toolbox Theme for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /wp-content/Themes/toolbox/include/flyer.php script not properly sanitizing user-supplied input to the 'mls' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."

    Can anyone elaborate on this, whether it's been fixed, or how one can patch it?

  2. Konstantin Obenland
    Code Wizard
    Posted 2 years ago #

    I'm not sure where this is coming from, but if you download the theme you'll find that there is no /include/flyer.php file in the package.

    For future reference: If you happen to find a security vulnerability in one of our services, we would appreciate letting us know before disclosing the issue publicly at:
    http://automattic.com/security/

    Thanks!

Topic Closed

This topic has been closed to new replies.

About this Theme

About this Topic

Tags

No tags yet.