WordPress Spider Facebook Plugin 'facebook.php' SQL Injection Vulnerability

Bugtraq ID:	69675
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Sep 07 2014 12:00AM
Updated:	Sep 07 2014 12:00AM
Credit:	Claudio Viviani
Vulnerable:	WordPress Spider Facebook Plugin 1.0.8
Not Vulnerable:

WordPress Spider Facebook Plugin 'facebook.php' SQL Injection Vulnerability

Spider Facebook plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Spider Facebook 1.0.8 is vulnerable; other versions may also be affected.

WordPress Spider Facebook Plugin 'facebook.php' SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com/wordpress/wp-admin/admin.php?page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1 and 1=2

WordPress Spider Facebook Plugin 'facebook.php' SQL Injection Vulnerability

Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.