WordPress Upload File Plugin SQL Injection

Posted by Philipp

May 31, 2008

A SQL Injection vulnerability has been reported in WordPress by the Balsec Team. The advisory is lacking alot of detail.

This post will be updated as new information is made available.

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comment by Nick on June 2, 2008 @ 3:09 pm

Maybe I’m missing something, but wp-uploadfile.php doesn’t appear to be a valid WP file?

Comment by DK on June 2, 2008 @ 5:00 pm

Nick, your not missing anything at all. I assume they mean the upload page under wp-admin, however, the advisory is very vague.

Comment by Andrea_R on June 2, 2008 @ 6:27 pm

It appears to releate to a specific plugin, not wordpress itself.

Comment by Nick on June 3, 2008 @ 10:53 am

I tried to look for the plugin mentioned, but no joy, there’s no reference to that file in the official plug-in svn either.

Search