Support » Plugin: Adminer » Useful but extremely dangerous

  • The tool is very useful, but extremely dangerous! Even when disabled in /wp-admin/plugins.php, the PHP files can still be accessed directly. They require no authentication whatsoever but offer full access to the database.

    The only limit i found, is that you have to guess the database name and prefix, which is not so hard in most cases.

    I’ve disclosed all details to the author, but got no reply at all.

    @author: please fix this

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Frank Bueltge


    Yes, the plugin is also usable for non-WP sites.
    Maybe I include a blocker for non access via WP.

    Hi Frank,

    Good that the plugin can also be used for non-WP. But the reason that this plugin is so much less secure than the vanilla, is that it reads the database connection information automatically.

    So where a bad guy would have to guess the password as well when using adminer, the adminer-wordpress-plugin does not have this protection.

    If the adminer-wp-plugin uses wordpress-specific convenience features to allow access to the database, I think it should also use wordpress-specific protection.

    Frank, can you move the is_admin() check to login() in loader.php?

    Plugin Author Frank Bueltge


    Yes, it is possible. The WP-functions is usable on this part.
    I will do this in the next update, maybe today. Sorry – I have so much topics in the last time.

    Plugin Author Frank Bueltge


    @jakubvrana is_admin() is not so easy usable, only via load from admin.php and I think a better check is for the rights of user, via current_user_can(). In the new version I have inlcude this check to use only if the user is logged in and have enough capability to use your great tool Adminer.

    @annoyingmouse: I have include a check for the capability, that check also if the user logged in and dont allow to load the loader without WP. Thanks for important hint!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Useful but extremely dangerous’ is closed to new replies.