WordPress Plugin Vulnerabilities

WordPress Plugin IBPS Online Exam <= 1.0 - Authenticated SQL Injection / Cross-Site Scripting

Description

Exploit Author: 8bitsec
Contact Author: https://twitter.com/_8bitsec

Stored XSS on exam input textfields and Blind SQL Injection on 'examapp_UserResult' page 'id' parameter.

Proof of Concept

Affects Plugins

Plugin icon
examapp
No known fix

References

CVE
CVE-2017-18602
CVE
CVE-2017-18601

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.8 (high)

Miscellaneous

Submitter
H4m3rm3ld
Submitter twitter
sys_secure
Verified
No
WPVDB ID
7e431705-e2e2-485b-b29e-ecbc01a8af2a

Timeline

Publicly Published
2017-07-21 (about 8 years ago)
Added
2017-07-25 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2019-08-27
Title
Nextgen Gallery < 3.2.11 - SQL Injection
Published
2025-09-28
Title
LBG Zoominoutslider < 5.4.5 - Authenticated (Contributor+) SQL Injection
Published
2024-11-08
Title
Share Buttons – Social Media <= 1.0.2 - Authenticated (Contributor+) SQL Injection
Published
2021-07-24
Title
Paytm - Donation Plugin <= 1.3.2 - Authenticated (admin+) SQL Injection
Published
2020-10-21
Title
Simple Download Monitor < 3.8.9 - SQL Injection