WordPress Plugin Vulnerabilities

Gutentor < 3.4.7 - Admin+ SQL Injection

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

Affects Plugins

Plugin icon
gutentor
Fixed in 3.4.7

References

CVE
CVE-2025-1986

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Greshow
Submitter
Greshow
Verified
Yes
WPVDB ID
f1414750-19ee-4a5d-b255-a9c20168b716

Timeline

Publicly Published
2025-03-11 (about 9 months ago)
Added
2025-03-11 (about 9 months ago)
Last Updated
2025-03-11 (about 9 months ago)

Other

Published
Title
Published
2025-01-03
Title
ARPrice < 4.2 - Unauthenticated SQL Injection
Published
2024-04-12
Title
Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook <= 1.1.12 - Authenticated (Administrator+) SQL Injection
Published
2025-05-16
Title
Magic Responsive Slider and Carousel WordPress <= 1.4 - Authenticated (Contributor+) SQL Injection
Published
2025-05-22
Title
Goodlayers Hostel <= 3.1.2 - Unauthenticated SQL Injection
Published
2025-01-06
Title
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages < 2.4.2 - Authenticated (Contributor+) SQL Injection