CVE-2016-20063

An authenticated user can exploit this vulnerability by accessing the plugin's outbox view and manipulating the 'message' parameter with crafted SQL statements. This allows for the extraction of sensitive database information, such as user credentials and site configuration data. The exploit targets the `simple-personal-message-outbox` page, demonstrating how to inject a UNION SELECT query to retrieve data from the `wp_terms` table [ref_id=1].

The vulnerability exists in the Single Personal Message WordPress plugin version 1.0.3. Specifically, the 'message' GET parameter is not escaped, making it accessible to any registered user. The exploit targets the `simple-personal-message-outbox` page within the plugin's administration interface [ref_id=1].

The patch is not provided in the bundle. However, the advisory indicates that the vulnerability stems from unsanitized input in the 'message' GET parameter. Remediation would involve properly escaping or sanitizing this parameter before it is used in SQL queries to prevent malicious code injection.

1. Login as a regular user (created using wp-login.php?action=register). 2. Access the URL: http://target/wp-admin/admin.php?page=simple-personal-message-outbox&action=view&message=0%20UNION%20SELECT%201,2.3,name,5,slug,7,8,9,10,11,12%20FROM%20wp_terms%20WHERE%20term_id=1 [ref_id=1]