WordPress Plugin Vulnerabilities

WP-Advanced-Search < 3.3.7 - Authenticated SQL Injection

Description

The import functionality to restore plugin settings within the admin pages was vulnerable to SQL Injection through a privileged user with the edit_posts capability.

Affects Plugins

Plugin icon
wp-advanced-search
Fixed in 3.3.7

References

CVE
CVE-2020-12104

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.6 (high)

Miscellaneous

Original Researcher
Nawaf Alkeraithe, Hashim Alshareef
Submitter
Nawaf
Submitter twitter
@NawafAlkeraithe @HashimAlshareff
Verified
No
WPVDB ID
8b7cb8bc-207e-4e8b-9772-bdf678e8603e

Timeline

Publicly Published
2020-04-28 (about 6 years ago)
Added
2020-04-29 (about 6 years ago)
Last Updated
2020-04-30 (about 6 years ago)

Other

Published
Title
Published
2025-12-30
Title
Appointify <= 1.0.8 - Authenticated (Administrator+) SQL Injection
Published
2022-07-18
Title
WPDating < 7.4.0 - Multiple Unauthenticated SQLi
Published
2026-05-04
Title
AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions'
Published
2025-12-13
Title
wpForo Forum < 2.4.13 - Unauthenticated SQL Injection
Published
2019-07-16
Title
Web Librarian < 3.5.5 - SQL Injection