User-side SQL

  • cs80

    (@cs80)


    8 years, 9 months ago

    The “download CSV” shortcode has a hidden “query” field that accepts arbitrary SQL. Do not use this plugin unless you want your entire site owned, up to and including your database getting dropped. I’d be kinder, but… user-side SQL.

    <input type="hidden" name="query" value="SELECT%20%2A%20FROM%20participants_database%20ORDER%20BY%20%60date_updated%60%20desc" />

Viewing 4 replies - 1 through 4 (of 4 total)
  • Marc Bernard

    (@luxxor)

    8 years, 8 months ago

    Thanks for pointing this out! Indeed a big no-no… 0 stars because of this security issue

    bobbysmith007

    (@bobbysmith007)

    8 years, 7 months ago

    It seems like this security bug was fixed rather promptly (I guess, it was fixed in less than a month).

    bobbysmith007

    (@bobbysmith007)

    8 years, 7 months ago

    Whoops, misread something, this is still a live bug

    Plugin Author xnau webdesign

    (@xnau)

    8 years, 6 months ago

    This discussion finally came to my attention.

    While the field does exist in the form, it is not used. The query that gets used to put together the exported data is obtained from a WordPress transient value, as you can see on line 2355 of the file participants-database.php in version 1.6.2.5.

    This issue was addressed as of version 1.5.4.9, which was released May 31, 2014

    That unused field (which was left in by mistake) will not be present in the next release of the plugin.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘User-side SQL’ is closed to new replies.