Homepage:
https://wordpress.org/plugins/sirv/
Descrição:
$_POST[ ‘id’ ] não trata a entrada de dados. sirv_get_row_by_id() é acessível por um usuário registrado.
File / Code:
add_action('wp_ajax_sirv_get_row_by_id', 'sirv_get_row_by_id'); function sirv_get_row_by_id(){ if(!(is_array($_POST) && isset($_POST['row_id']) && defined('DOING_AJAX') && DOING_AJAX)){ return; } global $wpdb; $table_name = $wpdb->prefix . 'sirv_shortcodes'; $id = $_POST['row_id']; $row = $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A); $row['images'] = unserialize($row['images']); echo json_encode($row); //echo json_encode(unserialize($row['images'])); wp_die(); }
Proof of Concept:
1 – Login as regular user (created using wp-login.php?action=register):
2 – Send Post for:
target => http://target/wp-admin/admin-ajax.php
Timeline:
- 10/11/2016 – Descoberto
- 10/11/2016 – Notificado