SQL Injection Vulnerability in Cart66 Lite Plugin for WordPress
CVE-2014-9442

Currently unrated

Key Information:

Vendor: Wordpress
Status: Cart66 Lite
Vendor: CVE Published:; 2 January 2015

Summary

The Cart66 Lite plugin for WordPress has a SQL injection vulnerability residing in the models/Cart66Ajax.php file. This issue allows remote authenticated users to execute arbitrary SQL commands through the 'q' parameter within the 'promotionProductSearch' action, accessed via the wp-admin/admin-ajax.php endpoint. The flaw poses a significant risk as it could enable attackers to manipulate the database and gain unauthorized access to sensitive data, highlighting the importance of promptly updating the plugin to the latest version to mitigate such security threats.

References

https://wordpress.org/plugins/cart66-lite/changelog/

x_refsource_CONFIRM

https://research.g0blin.co.uk/g0blin-00022/

x_refsource_MISC

http://secunia.com/advisories/61942

third-party-advisoryx_refsource_SECUNIA

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jan 2, 2015