Wysija Newsletters WordPress plugin version 2.2 suffer from SQL injection vulnerability (HTB23140), which can be exploited to perform SQL Injection attacks.
The vulnerabilities exist due to insufficient filtration of user-supplied input passed via the "search" and "orderby" HTTP GET parameters to the "wp-admin/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database. This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to cross-site request forgery attacks.
Upgrade to Wysija Newsletters version 2.2.1 to fix this vulnerability.
No comments:
Post a Comment