VR-Frases WordPress Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the VR-Frases (collect & share quotes) plugin for WordPress, affecting all versions through 3.0.1. The vulnerability arises from inadequate escaping of user-supplied parameters and insufficient preparation of the SQL query, allowing unauthenticated attackers to inject additional SQL commands. This exploitation could lead to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access or modify database information. In this case, it could be used to extract sensitive data from the WordPress database.

Reproduction

To reproduce this vulnerability, an authenticated user with admin privileges can send a request to the WordPress site with injected SQL commands in the parameters of the 'accion' request. The SQL injection can be performed through the 'vrfr_managefrases', 'vrfr_manageclases', or 'vrfr_managetemas' pages by appending SQL payloads that exploit the vulnerable query handling functions.