WordPress Plugin Vulnerabilities

Link-Library <= 5.9.13.26 – Authenticated SQL Injection

Description

Type user access: admin user.

$_GET[‘linkid’] is not escaped.

Proof of Concept

Affects Plugins

Plugin icon
link-library
Fixed in 5.9.13.27

References

URL
https://lenonleite.com.br/en/2017/08/14/link-library-5-9-13-26-plugin-wordpress-sql-injection/
URL
https://plugins.trac.wordpress.org/changeset/1713187/link-library

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
Lenon Leite / Log.pt
Submitter website
http://lenonleite.com.br/
Submitter twitter
lenonleite
Verified
No
WPVDB ID
bfc1a75e-b001-43f2-b618-7c1e2a67012b

Timeline

Publicly Published
2017-08-14 (about 8 years ago)
Added
2017-08-16 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP DS FAQ Plus - Unspecified SQL Injection
Published
2025-02-23
Title
WP Multistore Locator < 2.5.2 - Unauthenticated SQL Injection
Published
2020-04-01
Title
LearnDash < 3.1.6 - Unauthenticated SQL Injection
Published
2018-05-27
Title
wpForo Forum < 1.4.11 - Unauthenticated SQL Injection
Published
2025-07-31
Title
Super Store Finder < 7.6 - Unauthenticated SQL Injection