SQL Injection Vulnerability in IndiaNIC Testimonial Plugin for WordPress
CVE-2013-5673

Currently unrated

Key Information:

Vendor: Wordpress
Status: Testimonial Plugin
Vendor: CVE Published:; 10 September 2013

Summary

The IndiaNIC Testimonial Plugin version 2.2 for WordPress is susceptible to an SQL injection vulnerability. This flaw exists within the testimonial.php file, where improper handling of user input allows remote attackers to inject arbitrary SQL commands. By manipulating the 'custom_query' parameter through a 'testimonial_add' action in the admin-ajax.php interface, attackers can exploit this vulnerability to execute malicious SQL statements, potentially compromising the integrity of the database and exposing sensitive information.

References

http://osvdb.org/96793

vdb-entryx_refsource_OSVDB

http://seclists.org/fulldisclosure/2013/Sep/5

mailing-listx_refsource_FULLDISC

http://seclists.org/oss-sec/2013/q3/531

mailing-listx_refsource_MLIST

EPSS Score

6% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Sep 10, 2013
Vulnerability Reserved
Sep 1, 2013