SQL Injection Vulnerability in Participants Database Plugin for WordPress
CVE-2020-8596

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Participants Database
Vendor: CVE Published:; 11 February 2020

Summary

The Participants Database plugin for WordPress, specifically version 1.9.5.5 and earlier, contains a time-based SQL injection vulnerability within the participants-database.php file. This flaw can be exploited through the ascdesc, list_filter_count, or sortBy parameters, allowing attackers to manipulate database queries. Successful exploitation may lead to unauthorized data exfiltration and, under certain conditions, remote code execution. Site administrators are urged to update their installations to mitigate the risk associated with this vulnerability.

References

https://blog.impenetrable.tech/cve-2020-8596

x_refsource_MISC

https://wpvulndb.com/vulnerabilities/10068

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2020
Vulnerability Reserved
Feb 3, 2020