WordPress Plugin Vulnerabilities

MapPress Maps for WordPress < 2.85.5 - Contributor+ SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

Affects Plugins

Plugin icon
mappress-google-maps-for-wordpress
Fixed in 2.85.5

References

CVE
CVE-2023-26015

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
f3325eb7-cbf8-4184-b6b8-fd66fac3fcfd

Timeline

Publicly Published
2023-04-06 (about 1 years ago)
Added
2023-09-12 (about 8 months ago)
Last Updated
2023-09-12 (about 8 months ago)

Other

Published
Title
Published
2014-08-01
Title
WP Realty - MySQL Time Based Injection
Published
2014-08-01
Title
WP RSS Poster 1.0.0 - wp-admin/admin.php wrp-add-new Page id Parameter SQL Injection
Published
2021-08-06
Title
Block and Stop Bad Bots < 6.60 - Authenticated SQL Injections
Published
2016-02-04
Title
User Meta Manager <= 3.4.6 - Authenticated Blind SQL Injection
Published
2024-04-18
Title
Forminator < 1.29.3 - Admin+ SQL Injection