WordPress Users Ultra Plugin 1.5.50...

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

在users-ultra插件的xooclasses/xoo.userultra.photos.php文件中有如下代码: ``` public function edit_video_confirm () { global $wpdb, $xoouserultra; require_once(ABSPATH . 'wp-includes/formatting.php'); $user_id = get_current_user_id(); $video_id = $_POST["video_id"]; //video_id 直接从POST取值 $video_name = sanitize_text_field($_POST["video_name"]); $video_unique_id = sanitize_text_field($_POST["video_unique_id"]); $video_type = sanitize_text_field($_POST["video_type"]); if($video_id!="") { $query = "UPDATE " . $wpdb->prefix ."usersultra_videos SET `video_name` = '$video_name', `video_unique_vid` = '$video_unique_id' , `video_type` = '$video_type' WHERE `video_id` = '$video_id' AND `video_user_id` = '$user_id' "; // where 子语句可以存在注入 $wpdb->query( $query ); } die(); } ``` 该函数 可以清楚的看到post的数据中video_id未进行任何过滤即进入查询 ``` 在js/expandible.js文件中有如下操作 //edit video jQuery(document).on("click", "a[href='#resp_edit_video']", function(e) { e.preventDefault(); var video_id = jQuery(this).attr("data-id"); jQuery.ajax({...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息