
SQL-injection in WordPress
Vulnerability: SQL-injection in WordPress Hitasoft FLV Player
Danger: Medium
Number of vulnerabilities: 1
Vector of operation: Remote
Impact: Unauthorized change
Affected products: WordPress Hitasoft FLV Player Plugin 1.x
Affected versions: WordPress Hitasoft FLV Player 1.1, maybe earlier.
Description:
The vulnerability allows a remote user to execute arbitrary SQL commands in the application database.
The vulnerability is caused due to insufficient input validation in the “id” parameter in the script wp-content/plugins/hitasoft_player/config.php. This can be exploited to execute arbitrary SQL commands in the application database.
Manufacturer URL: http://hitasoft.com/
Solution: The way to eliminate the vulnerability does not exist at present.
links:
http://dl.packetstormsecurity.net/1211-exploits/wphitasoft-sql.txt