WordPress Plugin Vulnerabilities

Server Status by Hostname/IP <= 4.6 - Authenticated SQL Injection

Description

The last time it was checked the plugin was still affected and had been closed.

Proof of Concept

Affects Plugins

Plugin icon
server-status-by-hostnameip
No known fix

References

CVE
CVE-2019-12570
URL
https://github.com/ivoschyk-cs/exploit_wp/blob/master/CVE-2019-12570

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ihor Voschyk
Submitter
Ryan Dewhurst
Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
c4223776-7dcf-43a3-ad19-183e51c3b794

Timeline

Publicly Published
2019-07-01 (about 6 years ago)
Added
2019-12-02 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2018-11-09
Title
Buddyforms < 2.2.8 - SQL Injection
Published
2025-01-16
Title
Menus Plus+ <= 1.9.6 - Authenticated (Subscriber+) SQL Injection
Published
2026-02-17
Title
WPNakama < 0.6.6 - Unauthenticated SQL Injection via 'order' REST API Parameter
Published
2023-05-22
Title
SupportCandy < 3.1.7 - Admin+ SQLi
Published
2014-08-01
Title
Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit