CVE-2008-0520

WassUp Plugin 1.4-1.4.3 - SQL Injection via from_date or to_date Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0520. PoCs published by enter_the_dragon.

AI-analyzed exploit summary This exploit targets a SQL injection vulnerability in the WordPress WassUp plugin v1.4.3. It injects a malicious SQL query via the 'to_date' parameter to retrieve WordPress administrator and user logins along with their MD5 hashed passwords.

Description

Multiple SQL injection vulnerabilities in main.php in the WassUp plugin 1.4 through 1.4.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) from_date or (2) to_date parameter to spy.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by enter_the_dragon · phpwebappsphp

https://www.exploit-db.com/exploits/5017

View Code ZIP pw:eip

This exploit targets a SQL injection vulnerability in the WordPress WassUp plugin v1.4.3. It injects a malicious SQL query via the 'to_date' parameter to retrieve WordPress administrator and user logins along with their MD5 hashed passwords.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress WassUp plugin v1.4.3

No auth needed

Prerequisites: Target must have the vulnerable WordPress WassUp plugin installed · Target must have the plugin accessible at the specified path

MITRE ATT&CK