WordPress Spiffy XSPF Player Plug-in 'playlist _ id' parameter SQL Injection Vulnerability

WordPress Spiffy XSPF Player Plug-in 'playlist _ id' parameter SQL Injection Vulnerability

Release date:
Updated on: 2013-04-12

Affected Systems:
Boriel Spiffy XSPF Player
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58976
 
The Spiffy XSPF Player Plug-in can embed Fabrizio's Macromedia XSPF Player on the Wordpress website.
 
Spiffy XSPF Player 0.1 and other versions have security vulnerabilities. After successful exploitation, attackers can destroy applications and perform unauthorized database operations.
 
<* Source: Ashiyane Digital Security Team

Link: http://packetstormsecurity.com/files/121204/wpspiffy-sql.txt
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/wp-content/plugins/spiffy/playlist.php? Playlist_id = [SQL]

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Boriel
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.boriel.com/software/plugins/the-wordpress-xspf-player-plugin? Lang = en