SQL injection vulerability
-
In wp-athletics-db.php, line 1937 (get_events_for_year), there is an obvious SQL injection vector.
Essentially, using $data[‘year’] completely unsanitised in an SQL statement.
The SQL should ideally be converted into a prepared statement, but a simple fix would be to sanitise $data[‘year’] before using it.PoC (javascript) – note the ‘; #’ in the year parameter:
WPA.Ajax.getEvents({year: ‘2017 ORDER by e.date DESC; #’}, function(result) {
if(result && result.results) {
WPA.Events.printEvents(result.results);
}
});
- The topic ‘SQL injection vulerability’ is closed to new replies.
