WordPress All Video Gallery Plugin SQL injection vulnerability

Advisory

Secunia Advisory SA50874

Analysis of vulnerability

The All Video Gallery Plugin has two pages, playlist.php¬†and /xml/playlist.php, which both takes a “vid” ID and outputs the result from the query into XML format.

Note however that the “vid” GET parameter is never sanitized, which means that we can inject SQL into it and disclose information from the database by making a simple request to either of the pages like this: