Mingle Forum

Type: SQL Injection
Exploit version: 1.0.33.3
Release Date: 20-02-2013
Status: has not been patched yet.  •

Description:
1) Input passed to the "search_words" POST parameter in index.php (when "page_id" is set to a valid forum page id and "mingleforumaction" is set to "search") is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "togroupusers" POST parameter in wp-admin/admin.php (when "page" is set to "mfgroups", "usergroup" is set to a valid group ID, and "add_user_togroup" is set) is not properly sanitised in wp-content/plugins/mingle-forum/fs-admin/fs-admin.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the "id" parameter to index.php (when "page_id" is set to a valid forum page id, "mingleforumaction" is set to "viewtopic", "t" is set to e.g. "1.0", and "remove_post" is set) is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed via the "id" parameter to index.php (when "page_id" is set to a valid forum page id, "mingleforumaction" is set to "viewtopic", "t" is set to e.g. "1.0", and "sticky" is set) is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed via the "id" parameter to index.php (when "page_id" is set to a valid forum page id, "mingleforumaction" is set to "viewtopic", "t" is set to e.g. "1.0", and "closed" is set) is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

6) Input passed via the "thread" parameter to index.php (when "page_id" is set to a valid forum page id and "mingleforumaction" is set to "postreply") is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.



Security Information

  1. Secunia ID: 52167
  2. Credit: Secunia Research
  • Plugin statistics provided by WordPress.org. Updated within the last day or so.
  • ¹ Status info requires plugin author's to fill in versioning info on the wordpress.org repository