WordPress Madebymilk Theme 'id' parameter SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
WordPress Madebymilk
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56608

WordPress is a Blog (Blog, Blog) engine developed using the PHP language and MySQL database. you can create your own Blog on servers that support PHP and MySQL databases.

The voting-popup.php page of the WordPress Madebymilk topic does not check the legitimacy of the 'id' parameter, resulting in an SQL injection vulnerability on the page. Attackers exploit this vulnerability to damage the application, access or modify data, and exploit other potential vulnerabilities in the underlying database.

<* Source: Ashiyane Digital Security Team
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Https://www.example.com/wp-content/plugins/madebymilk/voting-popup.php? Id = null'

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Stop using the madebymilk topic and use another topic.

Vendor patch:

WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://wordpress.org/