WP-ClanWars WordPress Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the WP-ClanWars plugin for WordPress, affecting all versions through 2.0.1. The vulnerability arises from inadequate escaping of user-supplied input in the 'orderby' parameter, allowing authenticated attackers with administrator-level access to inject additional SQL queries. This exploitation could lead to unauthorized access to sensitive database information.

Impact

Successful exploitation allows authenticated administrators to append malicious SQL queries, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, an authenticated user with administrator privileges can send a request to a vulnerable endpoint that accepts the 'orderby' parameter. The injected SQL payload can then be crafted to exploit the SQL injection flaw, such as by appending a SQL injection string that manipulates the original SQL query execution.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.