Homepage:
Description:
Type of user: any user.
$_GET[‘uid’] is not escaped. Url is accessible for any user.
I will have find post or page that usage plugin, that use shortcode for example:
Url vulnerable : http://target/2016/09/26/ola-mundo-2/
File / Code:
File: /wp-content/plugins/bbs-e-franchise/lib/franchise.class.php
) );
require_once($templatePath.'/list.php');
//보기
} else {
$DATA = $wpdb->get_row( "SELECT * FROM {$this->table_list} WHERE ( prefix='{$wpdb->prefix}' AND hide='N' ) AND uid = {$uid}" );
$titleArray = array(
Proof of Concept:
Timeline:
- 12/11/2016 – Discovered
- 17/11/2016 – warned