Title: Scan Errors ORDERBY Parameter Last modified: March 13, 2020 --- # Scan Errors ORDERBY Parameter * [brgreene](https://wordpress.org/support/users/brgreene/) * (@brgreene) * [6 years, 2 months ago](https://wordpress.org/support/topic/scan-errors-orderby-parameter/) * My payment processor requires me to do a PCI Scan. One of the issues I am having with the scan is your plugin. When I disable it I don’t get the security issues. * I tried to contact you through your website but I did not receive a reply. The report shows two flaws associated with your plugin. * **Number 1** * > **Title:** CGI Generic SQL Injection (blind, time based) > Synopsis: A CGI application > hosted on the remote web server is potentially prone to SQL injection attack.** > Impact:** By sending specially crafted parameters to one or more CGI scripts > hosted on the remote web server, SecurityMetrics was able to get a slower response, > which suggests that it may have been able to modify the behavior of the application > and directly access the underlying database. An attacker may be able to exploit > this issue to bypass authentication, read confidential data, modify the remote > database, or even take control of the remote operating system. See also : [http://www.securiteam.com/securityreviews/5DP0N1P76E.html](http://www.securiteam.com/securityreviews/5DP0N1P76E.html) > [http://www.nessus.org/u](http://www.nessus.org/u)? ed792cf5 [http://projects.webappsec.org/w/page/13246963/SQL%20Injection](http://projects.webappsec.org/w/page/13246963/SQL%20Injection)** > Resolution:** Modify the affected CGI scripts so that they properly escape > arguments. **Data Received:** Using the GET HTTP method, SecurityMetrics found > that : + The following resources may be vulnerable to blind SQL injection ( > time based) : + The ‘orderby’ parameter of the /oval-braided-rugs/page CGI :/ > oval-braided-rugs/page?orderby=;SELECT%20pg_sleep(3);– ——– output ——- * **Number 2** * > **Title:** CGI Generic Command Execution (time-based) > **Synopsis:** It may > be possible to run arbitrary code on the remote web server. **Impact:** The > remote web server hosts CGI scripts that fail to adequately sanitize request > strings. By leveraging this issue, an attacker may be able to execute arbitrary > commands on the remote host. See also : [https://en.wikipedia.org/wiki/Code_injection](https://en.wikipedia.org/wiki/Code_injection) > [http://projects.webappsec.org/w/page/13246950/OS%20Commanding](http://projects.webappsec.org/w/page/13246950/OS%20Commanding)** > Resolution:** Restrict access to the vulnerable application. Contact the vendor > for a patch or upgrade. **Data Received:** Using the GET HTTP method, SecurityMetrics > found that : + The following resources may be vulnerable to arbitrary command > execution (time based) : + The ‘orderby’ parameter of the /oval-braided-rugs/ > page CGI : /oval-braided-rugs/page? orderby=%20;%20x%20%7C%7C%20sleep%203%20% > 26 ——– output Viewing 2 replies - 1 through 2 (of 2 total) * Thread Starter [brgreene](https://wordpress.org/support/users/brgreene/) * (@brgreene) * [6 years, 1 month ago](https://wordpress.org/support/topic/scan-errors-orderby-parameter/#post-12723043) * Any help on this. I have sent support tickets with no response. * Plugin Author [Maya](https://wordpress.org/support/users/tdgu/) * (@tdgu) * [6 years, 1 month ago](https://wordpress.org/support/topic/scan-errors-orderby-parameter/#post-12723573) * Hi, Sorry but the messages are generic, with no replicable steps. Both make reference to orderby GET usage, still, the plugin has no use for this anywhere. * We never received any message through our website, contact us again to discuss it further. * Thanks Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Scan Errors ORDERBY Parameter’ is closed to new replies. * ![](https://ps.w.org/post-types-order/assets/icon-128x128.png?rev=1226428) * [Post Types Order](https://wordpress.org/plugins/post-types-order/) * [Frequently Asked Questions](https://wordpress.org/plugins/post-types-order/#faq) * [Support Threads](https://wordpress.org/support/plugin/post-types-order/) * [Active Topics](https://wordpress.org/support/plugin/post-types-order/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/post-types-order/unresolved/) * [Reviews](https://wordpress.org/support/plugin/post-types-order/reviews/) * 2 replies * 2 participants * Last reply from: [Maya](https://wordpress.org/support/users/tdgu/) * Last activity: [6 years, 1 month ago](https://wordpress.org/support/topic/scan-errors-orderby-parameter/#post-12723573) * Status: not resolved