WordPress Plugin Vulnerabilities

Most Popular Posts Widget < 0.9 - Admin+ SQL injection

Description

The plugin does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

Affects Plugins

Plugin icon
most-popular-posts-widget-lite
Fixed in 0.9

References

CVE
CVE-2015-10124

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
VulDB GitHub Commit Analyzer
Verified
No
WPVDB ID
9b62ad7a-3c0a-4a87-9db5-60122912c3db

Timeline

Publicly Published
2023-10-02 (about 2 years ago)
Added
2023-10-02 (about 2 years ago)
Last Updated
2023-10-02 (about 2 years ago)

Other

Published
Title
Published
2014-09-24
Title
All Video Gallery 1.2 - SQL Injection
Published
2022-12-12
Title
Web Invoice <= 2.1.3 - Authenticated SQLi
Published
2024-03-19
Title
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 6.8.7 - Authenticated (Contributor+) SQL Injection via Shortcode
Published
2024-12-11
Title
WPBookit <= 1.6.0 - Unauthenticated SQL Injection
Published
2026-04-15
Title
DirectoryPress – Business Directory And Classified Ad Listing < 3.6.27 - Unauthenticated SQL Injection via 'packages'