ThreatPress

WordPress Vulnerabilities Database

Back

WordPress My Category Order Plugin <= 2.8 - SQL Injection Vulnerability

Product
My Category Order
Description
An SQL injection vulnerability found in mycategoryorder.php (Line 47-48). The attacker can exploit this vulnerability via a browser using 'parentID' parameter.
Solution
Fix (manually) in mycategoryorder.php: Find this line: $parentID = intval($_GET['parentID']); Replace to: $parentID = intval($_GET['parentID']); Or update the plugin.
Classification
Type SQL Injection
OWASP Top 10 A1: Injection
References
Exploit-DB
CVE
Name CVE- 2009-4748
Versions
Affected In <= 2.8
Fixed In 2.9
Disclosure date
2009-07-15
Credits
Manh Luat