vendor:
WP Private Messages
by:
Lenon Leite
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: WP Private Messages
Affected Version From: 1.0.1
Affected Version To: 1.0.1
Patch Exists: Yes
Related CWE: N/A
CPE: a:wordpress:wp_private_messages:1.0.1
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu 14.04
2016
WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection
WP Private Messages 1.0.1 is vulnerable to SQL Injection. The vulnerability exists due to the lack of proper sanitization of user-supplied input in the 'id' parameter of the 'wpu_private_messages.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database, potentially allowing the attacker to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, etc.
Mitigation:
The vendor has released an update to address this vulnerability. Users are advised to update to the latest version of the plugin.
