ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Simple Ads Manager Plugin <= 2.7.96 - Multiple SQL Injection

Product
Simple Ads Manager
Description
Because of these vulnerabilities, the attackers can execute arbitrary SQL commands via the "cstr" parameter in a load_posts action to sam-ajax-admin.php, "hits[][]" parameter in a sam_hits action to sam-ajax.php, the "searchTerm" parameter in a load_combo_data action to sam-ajax-admin.php or the "editor", "author", "contributor", "admin", "sadmin" "subscriber", parameter in a load_users action to sam-ajax-admin.php.
Solution
Update the plugin.
Classification
Type SQL Injection
OWASP Top 10 A1: Injection
References
CVE Mitre
CVE
Name CVE-2015-2824
Versions
Affected In <= 2.7.96
Fixed In 2.7.97
Disclosure date
2015-04-01
Credits
Le Hong Minh