Description

The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks

Related CPE's

a

sedlex

simple_quotation

*

*

*

*

*

wordpress

Vulnerable

References

https://wpscan.com/vulnerability/6940a97e-5a75-405c-be74-bedcc3a8ee00

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-89

[email protected]

Secondary
CWE-89

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-03-14T15:15:11.067

3 years ago

Last modified

2022-03-21T16:18:48.447

3 years ago