Title: SQL Injection Vulnerabilities
Last modified: August 20, 2016

---

# SQL Injection Vulnerabilities

 *  Resolved [robert_k](https://wordpress.org/support/users/robert_k/)
 * (@robert_k)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/)
 * **This plugin could potentially be exploited by any member on a WordPress site.
   Use this plugin at your own risk. It works, but it isn’t nearly secure enough.**
 * Firstly, no permission check is performed on the new page, just when outputting
   links. This isn’t secure enough, as just about anyone who knows the plugin is
   installed can manually enter the link and then rename an administrator. This 
   needs another `current_user_can('edit_users')` check.
 * Secondly, because the author did not consistently use `$wpdb->prepare()` for 
   his SQL there are several SQL injection vulnerabilities. I don’t advise ever 
   using esc_attr() on database input in place of proper SQL escaping; it can conceivably
   be bypassed. Anywhere that the plugin uses the `$_REQUEST['id']` parameter the
   input is appended **unfiltered** to the end of a query. So just displaying the
   page you could essentially reset the password of an administrator to something
   you know, or perhaps all users, for just one example.
 * If you are the author of this plugin: I’ve taken the time to secure this plugin
   for a project and have sanitized all SQL statements. I made a few tweaks for 
   the sake of this project that you needn’t carry over, but the security check 
   and the SQL protection you really should carry over. You can download and compare
   my changes [here](http://www.woodst.com/clients/woodstreet/username-changer.zip).
   And if you incorporate my changes, please list me as a contributor: “Robert Kosek,
   Wood Street Inc”.
 * [http://wordpress.org/extend/plugins/username-changer/](http://wordpress.org/extend/plugins/username-changer/)

Viewing 15 replies - 1 through 15 (of 15 total)

 *  [lkraav](https://wordpress.org/support/users/lkraav/)
 * (@lkraav)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323270)
 * Was this ever attended to?
 *  Thread Starter [robert_k](https://wordpress.org/support/users/robert_k/)
 * (@robert_k)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323271)
 * Ikraav, so far as I know this issue has not been attended to. The last release
   was 8 months ago, and this issue affects version 1.4 (the current as of writing,
   still).
 * I included a download link with my security fixes because of the severity of 
   this problem:
    [http://www.woodst.com/clients/woodstreet/username-changer.zip](http://www.woodst.com/clients/woodstreet/username-changer.zip)
 *  [lkraav](https://wordpress.org/support/users/lkraav/)
 * (@lkraav)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323272)
 * OK thanks for caring. Your original message doesn’t point out the version against
   which the report was made. I’ll take a look at the diff of your version.
 *  [Gary Gordon](https://wordpress.org/support/users/garymgordon/)
 * (@garymgordon)
 * [12 years, 11 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323289)
 * lkraav,
 * I was curious if this issue was resolved. Please let me know.
    Gary
 *  [SCNisHere](https://wordpress.org/support/users/scnishere/)
 * (@scnishere)
 * [12 years, 10 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323290)
 * I too am wondering. Thank you.
 * Steve
 *  [SCNisHere](https://wordpress.org/support/users/scnishere/)
 * (@scnishere)
 * [12 years, 10 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323291)
 * I too am wondering. Thank you.
 * Steve
 *  Thread Starter [robert_k](https://wordpress.org/support/users/robert_k/)
 * (@robert_k)
 * [12 years, 10 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323292)
 * Sorry guys, as far as I can tell the plugin owner never even attempted to contact
   me and has not dealt with the security issues I pointed out. The archive I posted
   has fixes for these security holes, but it isn’t an official update for the plugin.
 *  [Rahul Bansal](https://wordpress.org/support/users/rahul286/)
 * (@rahul286)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323296)
 * [@robert_k](https://wordpress.org/support/users/robert_k/)
 * Why don’t you fork this plugin?
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323297)
 * We (WordPress.org) reviewers are looking into the plugin. It will be disabled
   until it is fixed.
 *  [Dan Griffiths](https://wordpress.org/support/users/ghost1227/)
 * (@ghost1227)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323299)
 * I’d like to apologize for not catching this sooner. I never even noticed the 
   open ticket until Pippin was kind enough to give me a nudge. I’ve learned a lot
   since originally releasing this plugin, so the V2.0.0 release I just pushed is
   a fairly major rewrite. I’ve also included the vulnerability patches provided
   by Robert, with my sincere thanks. Please let me know if there are any further
   issues!
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323300)
 * [@ghost1227](https://wordpress.org/support/users/ghost1227/) Ping me when the
   update is pushed and I’ll re-open the plugin.
 *  [Gary Gordon](https://wordpress.org/support/users/garymgordon/)
 * (@garymgordon)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323301)
 * Hi. Is the version at [http://wordpress.org/support/plugin/username-changer](http://wordpress.org/support/plugin/username-changer)
   good to use?
 *  [Dan Griffiths](https://wordpress.org/support/users/ghost1227/)
 * (@ghost1227)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323302)
 * Version 2.0.0 is the safe version.
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323303)
 * The plugin has been renabled and the problems have been fixed.
 *  [Dan Griffiths](https://wordpress.org/support/users/ghost1227/)
 * (@ghost1227)
 * [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323304)
 * Thanks for the quick re-approval Pippin!

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘SQL Injection Vulnerabilities’ is closed to new replies.

 * ![](https://ps.w.org/username-changer/assets/icon.svg?rev=3399887)
 * [Username Changer](https://wordpress.org/plugins/username-changer/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/username-changer/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/username-changer/)
 * [Active Topics](https://wordpress.org/support/plugin/username-changer/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/username-changer/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/username-changer/reviews/)

## Tags

 * [code review](https://wordpress.org/support/topic-tag/code-review/)

 * 15 replies
 * 7 participants
 * Last reply from: [Dan Griffiths](https://wordpress.org/support/users/ghost1227/)
 * Last activity: [12 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-vulnerabilities-1/#post-3323304)
 * Status: resolved