Unauthenticated SQL Injection in the WordPress plugin Voting for a photo (1.2)
Voting for a photo (WordPress.org, version 1.2) Voting for a photo (1.2) registers a public, unauthenticated admin-ajax.php action whose handler concatenates a POST parameter directly into a SQL query with no sanitisation, integer cast, or prepared statement. An unauthenticated visitor can inject SQL and read arbitrary database contents (WordPress user password hashes, secrets). The plugin has been unmaintained since December 2018; no fixed release exists — remove it.
Voting for a photo 1.2 (WordPress.org) contains an unauthenticated sql injection. The plugin registers a handler reachable by visitors who are not logged in, and it concatenates a request parameter straight into a live SQL statement.
The unauthenticated AJAX handler takes a POST parameter and concatenates it directly into a SQL query with no sanitisation, integer cast, or prepared statement, so the value reaches the database unaltered. The result is a blind/time-based SQL-injection channel through which the full database (user password hashes, secrets) can be extracted.
Voting for a photo was surfaced automatically by the codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification, and then verified by hand against the shipped 1.2 artifact. The plugin has not been updated since 2018-12-11; because no patched release exists, the correct remediation is to remove it.
Class: SQL Injection (CWE-89). Privilege required: none — the injectable endpoint is registered for logged-out visitors. Effect: read access to the entire database via blind SQL injection (credential hashes, secrets, tokens); depending on database privileges, write access.
A second variant with the same flaw exists in the same file. The precise locations and code are withheld below until the disclosure deadline.
3:00 UTC
Detected by codelake Research · codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification · disclosed to WordPress Plugin Security Team before publication.
This is a coordinated vulnerability disclosure. The affected package, version and class are published immediately so defenders can act; the exact code location and reproduction are withheld until the deadline, and no weaponised proof-of-concept is published. The archived artifact is available to verified security researchers on request.