BSK PDF Manager < 1.5 – Multiple Authenticated SQL Injections | CVE 2014-4944 | Plugin Vulnerabilities

Description

The plugin did not use prepared statement with the categoryid and pdfid parameter when viewing the /wp-admin/admin.php?page=bsk-pdf-manager and /wp-admin/admin.php?page=bsk-pdf-manager-pdfs page leading to Authenticated SQL Injection issues

Proof of Concept

https://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2

https://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2

Affects Plugins

bsk-pdf-manager

Fixed in 1.5

References

CVE

URL

https://packetstormsecurity.com/files/#127407/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

d6998e1e-a75b-4a56-abb6-c8e8c05d93cb

Timeline

Publicly Published

2014-08-01 (about 11 years ago)

Added

2014-08-01 (about 11 years ago)

Last Updated

2021-01-23 (about 5 years ago)

Other

Published

Title

Published

2026-03-18

Title

Appointment Booking Calendar < 1.6.10.2 - Unauthenticated SQL Injection via 'fields' Parameter

Published

2024-03-20

Title

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.7.9 - Authenticated (Subscriber+) SQL Injection

Published

2024-04-03

Title

REHub Framework < 19.6.2 - Authenticated (Subscriber+) SQL Injection

Published

2025-04-04

Title

Easy Query – WP Query Builder <= 2.0.4 - Authenticated (Administrator+) SQL Injection

Published

2024-12-11

Title

SeedProd Pro < 6.18.13 - Authenticated (Editor+) SQL Injection