Title: [Plugin: WP Auctions] WordPress Auctions plugin Last modified: August 20, 2016 --- # [Plugin: WP Auctions] WordPress Auctions plugin * Resolved [henrisalo](https://wordpress.org/support/users/henrisalo/) * (@henrisalo) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin/) * No CVE-identifier yet assigned, but sherl0ck_ found security issue from this module. Have you already received information about this? Have you already started working on a patch? * Original advisory: [http://seclists.org/fulldisclosure/2011/Sep/121](http://seclists.org/fulldisclosure/2011/Sep/121) * Best regards, Henri Salo * [http://wordpress.org/extend/plugins/wp-auctions/](http://wordpress.org/extend/plugins/wp-auctions/) Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Author [owencutajar](https://wordpress.org/support/users/owencutajar/) * (@owencutajar) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin/#post-2298199) * Hi Henri, * Thanks for raising this with us. The report is right in pointing out that those parameters aren’t sanitised (which we will address immediately). It’s work pointing out though, that this is an administration module (protected by WordPress’s user permissions); rather than one that can be access anonymously. * Our dev team are correcting this as we speak, after all, just because someone has administration privileges over our plugin, doesn’t mean we should expose the rest of the database. Once again, thanks for making us aware of this * Regards * Owen * P.S. I don’t have access to seclists, would you mind posting my response there and letting me know if there’s any followup? * Thread Starter [henrisalo](https://wordpress.org/support/users/henrisalo/) * (@henrisalo) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin/#post-2298205) * Sure I can post your reply there. Thanks for fast response. As far as I can tell this does not need CVE-identifier, because of needed ACL to exploit this vulnerability. Still good to fix of course. * About the list in general: [http://lists.grok.org.uk/full-disclosure-charter.html](http://lists.grok.org.uk/full-disclosure-charter.html) About CVE-identifiers: [http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures](http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) [http://cve.mitre.org/](http://cve.mitre.org/) * Please notify me if you need help fixing the code. * Plugin Author [owencutajar](https://wordpress.org/support/users/owencutajar/) * (@owencutajar) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin/#post-2298209) * Hi Henri, * Also wanted to point out that we actually use nonces on the admin to reduce our surface of attack, so that _GET isn’t actually exploitable. * We’re still address the direct use of querystring parameters in SQL though, just to ensure we don’t get any more false positives * Regards * Owen Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘[Plugin: WP Auctions] WordPress Auctions plugin’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/wp-auctions_404750.svg) * [WordPress Auction Plugin](https://wordpress.org/plugins/wp-auctions/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-auctions/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-auctions/) * [Active Topics](https://wordpress.org/support/plugin/wp-auctions/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-auctions/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-auctions/reviews/) * 3 replies * 2 participants * Last reply from: [owencutajar](https://wordpress.org/support/users/owencutajar/) * Last activity: [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin/#post-2298209) * Status: resolved