SQL Injection Vulnerabilities in All In One WP Security & Firewall Plugin for WordPress
CVE-2014-6242
Currently unrated
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 2 October 2014
What is CVE-2014-6242?
The All In One WP Security & Firewall plugin for WordPress has multiple SQL injection vulnerabilities that allow remote authenticated users to execute arbitrary SQL commands. Specifically, these vulnerabilities can be exploited via the 'orderby' or 'order' parameters on the aiowpsec page, accessed through wp-admin/admin.php. This weakness may also be exploited using Cross-Site Request Forgery (CSRF) techniques, enabling attackers to execute malicious SQL commands without direct interaction.