SQL Injection Vulnerability in GigPress Plugin for WordPress
CVE-2015-4066

Currently unrated

Key Information:

Vendor: Wordpress
Status: Gigpress
Vendor: CVE Published:; 27 May 2015

Summary

Multiple SQL injection vulnerabilities exist in the GigPress plugin for WordPress, specifically found in admin/handlers.php, prior to version 2.3.9. These vulnerabilities allow remote authenticated users to run arbitrary SQL commands using the (1) show_artist_id or (2) show_venue_id parameters when adding actions on the gigpress.php page in the WordPress admin interface. This could potentially lead to unauthorized database manipulation and information disclosure, emphasizing the need for immediate vulnerability management and mitigation strategies.

References

http://packetstormsecurity.com/files/132036/WordPress-Gig...

x_refsource_MISC

https://www.exploit-db.com/exploits/37109/

exploitx_refsource_EXPLOIT-DB

http://www.securityfocus.com/bid/74747

vdb-entryx_refsource_BID

EPSS Score

5% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
May 27, 2015
Vulnerability Reserved
May 22, 2015