SQL Injection Vulnerability in Cart66 Plugin for WordPress
CVE-2014-9305

Currently unrated

Key Information:

Vendor: Wordpress
Status: Cart66 Lite
Vendor: CVE Published:; 8 December 2014

Summary

An SQL injection vulnerability exists in the Cart66 Lite plugin for WordPress that allows remote authenticated users to execute arbitrary SQL commands. This weakness arises from improper validation in the shortcodeProductsTable function, specifically when processing the id parameter in a shortcode_products_table action. Attackers can exploit this flaw through wp-admin/admin-ajax.php, potentially gaining unauthorized access to sensitive database information.

References

https://wordpress.org/plugins/cart66-lite/changelog/

x_refsource_CONFIRM

http://packetstormsecurity.com/files/129395/Cart66-Lite-W...

x_refsource_MISC

http://osvdb.org/show/osvdb/115286

vdb-entryx_refsource_OSVDB

Timeline

Vulnerability published
Dec 8, 2014
Vulnerability Reserved
Dec 7, 2014