WordPress HDW Player Plugin 'wp-admin/admin. php' SQL Injection Vulnerability
Release date:
Updated on:
Affected Systems:
WordPress HDW Player 2.4.2
WordPress HDW Player
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69105
CVE (CAN) ID: CVE-2014-5180
The WordPress HDW Player Plug-in can embed the HDW Player into the WordPress website.
HDW Player 2.4.2 and other video pages have the SQL injection vulnerability. authenticated remote attackers can use wp-admin/admin. php edits the id parameter in the operation and uses this vulnerability to execute any SQL command.
<* Source: Anant Shrivastava
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/wp-admin/admin.php? Page = videos & amp; opt = edit & amp; id = 2 union select
1, 2, user (), 4, 5, 6, database (), 8, @ version, 10, 11, 12
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Https://wordpress.org/plugins/hdw-player-video-player-video-gallery/
This article permanently updates the link address: