Title: [Plugin: User Self Delete] SQL Injection Vulnerability Last modified: August 19, 2016 --- # [Plugin: User Self Delete] SQL Injection Vulnerability * [Vladimir Kolesnikov](https://wordpress.org/support/users/vladimir_kolesnikov/) * (@vladimir_kolesnikov) * [15 years, 5 months ago](https://wordpress.org/support/topic/plugin-user-self-delete-sql-injection-vulnerability/) * ``` if ($_POST['delete_me'] == "yes") { mysql_query("DELETE FROM wp_users WHERE id='".$_POST['user_ID']."'"); echo ''; } ``` * This is stupid as $_POST[‘user_ID’] is never sanitized and if I pass `1 OR 1` as the ID, the plugin will happily delete ALL users from the database. Is your commercial version that buggy, too? * The next issue is that the plugin does not use WP API to delete the user — yes, it removes the entry from wp_users table (BTW, the prefix is not guaranteed to be “wp_” and it was stupid to hardcode it) but what about wp_usermeta table? And all other related tables? * I strongly do NOT recommend to use this plugin. The topic ‘[Plugin: User Self Delete] SQL Injection Vulnerability’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/user-self-delete.svg) * [User Self Delete](https://wordpress.org/plugins/user-self-delete/) * [Frequently Asked Questions](https://wordpress.org/plugins/user-self-delete/#faq) * [Support Threads](https://wordpress.org/support/plugin/user-self-delete/) * [Active Topics](https://wordpress.org/support/plugin/user-self-delete/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/user-self-delete/unresolved/) * [Reviews](https://wordpress.org/support/plugin/user-self-delete/reviews/) ## Tags * [sql injection](https://wordpress.org/support/topic-tag/sql-injection/) * 0 replies * 1 participant * Last reply from: [Vladimir Kolesnikov](https://wordpress.org/support/users/vladimir_kolesnikov/) * Last activity: [15 years, 5 months ago](https://wordpress.org/support/topic/plugin-user-self-delete-sql-injection-vulnerability/) * Status: not resolved