Feed on Feeds <= 0.5 (fof-main.php) PHP Code Injection Vulnerability

Description:

Feed on Feeds contains a flaw which allows a remote attacker to inject and execute arbitrary PHP code. The issue is due to user-supplied input passed through the $_POST[‘feed_order’] parameter to set-prefs.php isn’t properly sanitized before being used in a call to the create_function() PHP function.

References:

BID-49901
EDB-17911

Disclosure Date:

September 30, 2011