Home   Best Sellers   Blogging   Coding & Design   Technology   SEO   Travel & living   Career   Videos   Tips   Calculators     
Home  »     »     »     »  Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability - Input Validation Error

Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability - Input Validation Error

Thursday, November 27, 2014

Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability

Recently when we run a symantec server scan on our server, we got a warning like  "Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability" and it was listed under "Insufficient User Input Validation" class.



Comment Rating Plugin ( Bob King Comment Rating 2.9.23 ) for WordPress  contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ck-processkarma.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Vulnerable version of plugin : Bob King Comment Rating 2.9.23 ( http://wealthynetizen.com ). other versions may also be affected.

Bug Type : Input Validation Error ( Insufficient User Input Validation )


How this works?
Wordpress Comment Rating plugin version 2.9.23 is prone to SQL injection vulnerability. Attackers can use a browser to exploit this issue.  The flaws are caused by improper validation of user-supplied input via the 'id' parameter to '/wp-content/plugins/comment-rating/ck-processkarma.php',which allows attackers to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation will allow attacker to perform SQL Injection attack and gain sensitive information.

The following example attack URI is available:

http://WWW.YOUR_WEBSITE.COM/wp-content/plugins/comment-rating/ck-processkarma.php?path=1&action=1&id=1%20and%201=2%20--%20



This bug is reported on BugTraq http://www.securityfocus.com/bid/46482/info


How to fix?

Updates are available. Upgrade to version 2.9.24 or higher, as it has been reported to fix this vulnerability.


Download and install the latest plugin from http://wealthynetizen.com/wordpress-plugin-comment-rating/

Or Update with the latest Rating Wordpress plugin at http://wordpress.org/extend/plugins/comment-rating



How to link to this page?
If you wish to link to this page from your website, simply Copy and paste the above HTML code to your web page. It will appear on your page as:
Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability - Input Validation Error.




Share this!




comments powered by Disqus

This Weeks 7 Popular Posts


Subscribe to Recent Posts by Email
Stay connected to CROZOOM with regular Email notices of new Techie articles and IT Jobs. Updates will be delivered to your Inbox as soon as they are posted online.

Enter Your Email Address:  

Delivered by FeedBurner   RSS Feed

Search this Blog   



Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »