Care to provide a demonstration exploit then? You do realize that
$new_cat is just a variable pulled from the $add_cats array, right? Show
everyone how you are going to inject SQL into the list of categories.
> Hello,
>
> There is a sql injection in WordPress 2.1.2 (and maybe others) .
> A user with "add link" permission (Editor/Administrator) can do this :
>
> The '$new_cat' variable in "wp_set_link_cats()" function is not checked
> properly before be used in the sql query :
>
> File /wp-admin/admin-db.php, Line 472 :
>
> $wpdb->query("
> INSERT INTO $wpdb->link2cat (link_id, category_id)
> VALUES ($link_ID, $new_cat)");
>
>
> - Omid
>
