BugTraq
Multiple SQL injection vulnerabilities in WordPress Video Player Jul 19 2016 07:57PM
Summer of Pwnage (lists securify nl)
------------------------------------------------------------------------

Multiple SQL injection vulnerabilities in WordPress Video Player
------------------------------------------------------------------------

David Vaartjes & Yorick Koster, July 2016

------------------------------------------------------------------------

Abstract
------------------------------------------------------------------------

It was discovered that WordPress Video Player is affected by multiple
blind SQL injection vulnerabilities. Using these issues it is possible
for a logged on Contributor (or higher) to extract arbitrary data (eg,
the Administrator's password hash) from the WordPress database.

------------------------------------------------------------------------

OVE ID
------------------------------------------------------------------------

OVE-20160712-0004

------------------------------------------------------------------------

Tested versions
------------------------------------------------------------------------

This issue was successfully tested on WordPress Video Player WordPress
plugin version 1.5.16.

------------------------------------------------------------------------

Fix
------------------------------------------------------------------------

This issue is resolved in WordPress Video Player 1.5.18.

------------------------------------------------------------------------

Details
------------------------------------------------------------------------

https://sumofpwn.nl/advisory/2016/multiple_sql_injection_vulnerabilities
_in_wordpress_video_player.html

------------------------------------------------------------------------

Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus