WordPress Plugin Vulnerabilities

I Recommend This < 3.7.3 - Subscriber+ SQLi

Description

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks

Affects Plugins

Plugin icon
i-recommend-this
Fixed in 3.7.3

References

CVE
CVE-2014-125099
CVE
CVE-2014-10376

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Oskar Adin
Verified
No
WPVDB ID
8fd99a2b-28e4-46b3-b04c-01f50816572b

Timeline

Publicly Published
2014-09-24 (about 11 years ago)
Added
2019-08-26 (about 6 years ago)
Last Updated
2023-04-24 (about 3 years ago)

Other

Published
Title
Published
2016-01-27
Title
Appointment Booking Calendar < 1.1.25 - Unauthenticated SQL Injection
Published
2025-01-24
Title
Bug Library < 2.1.5 - Authenticated (Contributor+) SQL Injection
Published
2025-03-24
Title
JiangQie Official Website Mini Program <= 1.8.2 - Authenticated (Administrator+) SQL Injection
Published
2025-01-24
Title
Simple Download Monitor < 3.9.26 - Authenticated (Administrator+) SQL Injection
Published
2025-10-08
Title
Community Events < 1.5.2 - Unauthenticated SQL Injection