ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Audio Player Plugin <= 2.0 - Multiple SQL Injection

Product
Audio Player
Description
Because of these vulnerabilities, the administrators can execute arbitrary SQL commands via the "itemid" parameter in the wonderplugin_audio_show_item. Also, an authenticated user can execute arbitrary SQL commands via the "item[id]" parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php.
Solution
Update the plugin.
Classification
Type SQL Injection
OWASP Top 10 A1: Injection
References
CVE Mitre
CVE
Name CVE-2015-2199
Versions
Affected In <= 2.0
Fixed In 2.1
Disclosure date
2015-03-03
Credits
Kacper Szurek