Homepage:
https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
Description:
Type user access: any user.
$_POST[‘cat_id’] is not escaped. Is accessible for any user.
File / Code:
Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpsp_getCatName.php
Line: 4
<?php if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly global $wpdb; $category = $wpdb->get_row( "SELECT * FROM {$wpdb->prefix}wpsp_catagories where id=".$_POST['cat_id'] ); echo stripcslashes($category->name); ?>
Proof of Concept:
1 – Usingo form html:
2 – Using Postman ( Plugin for request of chrome )
Timeline:
- 12/12/2016 – Discovered
- 13/12/2016 – Vendor notifed
- 16/12/2016 – Resolve issue version 7.1.5
Hi there,
Thank you for reporting this issue. It is now fixed in new release 7.1.5.
Pradeep Makone
Author, WP Support Plus
You is a example of professional, for update system fast. Congrats