CVE-2014-125099

EPSS 0.72%
Veröffentlicht 20.04.2023 06:15:06
Zuletzt bearbeitet 21.11.2024 02:03:48
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

I Recommend This Plugin dot-irecommendthis.php sql injection

I Recommend This <= 3.7.2 - Authenticated (Subscriber+) SQL Injection via Shortcode

A vulnerability has been found in I Recommend This Plugin up to 3.7.2 on WordPress and classified as critical. Affected by this vulnerability is an unknown functionality of the file dot-irecommendthis.php. The manipulation leads to sql injection. The attack can be launched remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 058b3ef5c7577bf557557904a53ecc8599b13649. It is recommended to upgrade the affected component. The identifier VDB-226309 was assigned to this vulnerability.

Mögliche Gegenmaßnahme

I Recommend This – Love/Like Button for WordPress Posts: Update to version 3.7.3, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Themeist ≫ I Recommend This SwPlatformwordpress Version <= 3.7.2

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt I Recommend This – Love/Like Button for WordPress Posts

Version *-3.7.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.491

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@vuldb.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://github.com/wp-plugins/i-recommend-this/commit/058b3ef5c7577bf557557904a53ecc8599b13649

Patch

https://github.com/wp-plugins/i-recommend-this/releases/tag/3.7.3

Release Notes

https://vuldb.com/?ctiid.226309

Third Party Advisory

Permissions Required

https://vuldb.com/?id.226309

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca9c10b6-6d32-45c9-beb1-7a5c84d0863d

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2014-125099