WordPress Plugin Vulnerabilities

Intuitive Custom Post Order < 3.1.5 - Admin+ SQLi

Description

The plugin does not properly escape user-supplied 'objects' and 'tags' parameters and lacks sufficient preparation in the 'update_options' and 'refresh' functions, leading to potential SQL Injection vulnerabilities.

Affects Plugins

Plugin icon
intuitive-custom-post-order
Fixed in 3.1.5

References

CVE
CVE-2023-1016
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/intuitive-custom-post-order/intuitive-custom-post-order-313-authenticated-admin-sql-injection

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
3.0 (low)

Miscellaneous

Verified
No
WPVDB ID
00ad48f2-c172-4418-b25b-9068f6af904f

Timeline

Publicly Published
2023-01-25 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-12-25 (about 2 years ago)

Other

Published
Title
Published
2026-04-13
Title
SpeakOut! Email Petitions < 4.6.5.1 - Unauthenticated SQL Injection
Published
2021-07-27
Title
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
Published
2022-04-28
Title
Hermit <= 3.1.6 - Subscriber+ SQLi
Published
2014-11-25
Title
Google Document Embedder <= 2.5.14 - SQL Injection
Published
2025-05-07
Title
ELEX Product Feed for WooCommerce < 3.1.3 - Admin+ SQL Injection