Headline
CVE-2017-20066: WordPress Adminer plugin allows public (local) database login
A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper access controls. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives
From: Summer of Pwnage <lists () securify nl>
Date: Wed, 1 Mar 2017 07:11:29 +0100
------------------------------------------------------------------------ WordPress Adminer plugin allows public (local) database login
David Vaartjes, July 2016
Abstract
The Adminer WordPress plugin allows public login to the site’s editor. As a result this allows an attacker to connect to any database running on the local host or on internal systems which are accessible from the target WordPress server.
OVE ID
OVE-20160728-0001
Tested versions
This issue was successfully tested on the Adminer WordPress Plugin version 1.4.4.
Fix
Currently no fix for this issue is available.
Details
https://sumofpwn.nl/advisory/2016/wordpress_adminer_plugin_allows_public__local__database_login.html
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- WordPress Adminer plugin allows public (local) database login Summer of Pwnage (Feb 28)