WordPress Plugin Vulnerabilities

Cart66 Lite <= 1.5.3 - SQL Injection

Description

The QSA named ‘q’ for the ‘promotionProductSearch’ AJAX call is not being sanitized, which allows for MySQL injection utilizing a UNION. The user must be logged in for this to be applicable. The output is JSON encoded, however is a pure representation of the data returned from a MySQL query.

Affects Plugins

Plugin icon
cart66-lite
Fixed in 1.5.4

References

CVE
CVE-2014-9442
URL
https://g0blin.co.uk/cve-2014-9442/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
James Hooker
Submitter website
https://research.g0blin.co.uk
Submitter twitter
g0blinResearch
Verified
No
WPVDB ID
43756c7d-a4be-41d7-8aa0-48e04ad02f86

Timeline

Publicly Published
2015-01-01 (about 11 years ago)
Added
2015-01-01 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2025-09-10
Title
Coupon API <= 6.2.12 - Authenticated (Administrator+) SQL Injection via 'log_duration'
Published
2024-08-07
Title
Docket (WooCommerce Collections / Wishlist / Watchlist) < 1.7.0 - Unauthenticated SQL Injection
Published
2023-06-05
Title
Custom 404 Pro < 3.8.1 - Multiple SQL Injection
Published
2024-03-14
Title
HUSKY – Products Filter for WooCommerce Professional < 1.3.5.3 - Contributor+ SQL Injection
Published
2025-08-15
Title
Vertical scroll slideshow gallery v2 <= 9.1 - Authenticated (Contributor+) SQL Injection