CVE-2014-6242

Currently unrated

Key Information:

Vendor: Wordpress
Status: All In One WordPress Security And Firewall
Vendor: CVE Published:; 2 October 2014

Summary

Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

References

http://packetstormsecurity.com/files/128419/All-In-One-WP...

x_refsource_MISC

https://wordpress.org/plugins/all-in-one-wp-security-and-...

x_refsource_CONFIRM

http://www.exploit-db.com/exploits/34781

exploitx_refsource_EXPLOIT-DB

Timeline

Vulnerability published
Oct 2, 2014
Vulnerability Reserved
Sep 4, 2014