WordPress CStar Design 'id' parameter SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
WordPress CStar Design
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56694

WordPress's CStar Design plug-in is a user interface management system.

WordPress's CStar Design plug-in does not verify the validity of the flashmoXML. php page id parameter, leading to the SQL injection vulnerability. Attackers can exploit this vulnerability to operate the database without authorization and obtain important information.

<* Source: Amirh03in
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http://www.example.com/wp-content/themes/cstardesign/swf/flashmo/flashmoXML.php? Id = [SQL]

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

* Disable CStar Design.

Vendor patch:

WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://wordpress.org/extend/plugins/