SQL Injection Vulnerability in wp-advanced-search Plugin for WordPress
CVE-2020-12104

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WP-advanced-search
Vendor: CVE Published:; 5 May 2020

What is CVE-2020-12104?

The wp-advanced-search plugin version 3.3.6 for WordPress contains a vulnerability in its import feature that allows authenticated users to perform SQL injection by uploading a malicious .sql file. This allows attackers to execute arbitrary SQL commands against the database without proper validation, posing significant security risks and potentially leading to unauthorized data access or manipulation.

References

https://wordpress.org/plugins/wp-advanced-search/#developers

x_refsource_MISC

https://wpvulndb.com/vulnerabilities/10199

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2020
Vulnerability Reserved
Apr 23, 2020

Wordpress

What is CVE-2020-12104?

References

CVSS V3.1

Timeline