WordPress Plugin Vulnerabilities

WP Coder < 2.5.4 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape the id parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Affects Plugins

Plugin icon
wp-coder
Fixed in 2.5.4

References

CVE
CVE-2023-0895

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Etan Imanol Castro Aldrete
Verified
No
WPVDB ID
eba90d3e-8968-41f9-8dc9-91d87a2cd527

Timeline

Publicly Published
2023-02-17 (about 2 years ago)
Added
2023-02-18 (about 2 years ago)
Last Updated
2023-02-18 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Global Content Blocks <= 1.2 - SQL Injection
Published
2025-05-07
Title
PDF Invoices for WooCommerce + Drag and Drop Template Builder < 5.4.0 - Authenticated (Administrator+) SQL Injection
Published
2025-01-06
Title
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages < 2.4.2 - Authenticated (Contributor+) SQL Injection
Published
2015-05-06
Title
Freshmail for WordPress < 1.6 - Unauthenticated SQL Injection
Published
2025-08-15
Title
tPlayer <= 1.2.1.6 - Unauthenticated SQL Injection