WordPress Plugin Vulnerabilities

GamiPress < 2.5.7.1 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Affects Plugins

Plugin icon
gamipress
Fixed in 2.5.7.1

References

CVE
CVE-2023-24000

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
ec11192b-1d33-4e60-8d82-420d4da90018

Timeline

Publicly Published
2023-02-14 (about 3 years ago)
Added
2023-11-15 (about 2 years ago)
Last Updated
2023-11-15 (about 2 years ago)

Other

Published
Title
Published
2025-06-11
Title
Smart Notification <= 10.3 - Unauthenticated SQL Injection
Published
2026-03-03
Title
JS Help Desk < 2.8.3 - Unauthenticated SQL Injection via 'js-support-ticket-token-tkstatus' Cookie
Published
2018-11-08
Title
RSVPMaker < 5.6.4 - SQL Injection
Published
2022-11-07
Title
WP User Merger < 1.5.3 - Admin+ SQLi via ID
Published
2014-09-27
Title
Lead-Octopus-Power Plugin - SQL Injection