ThreatPress

WordPress Vulnerabilities Database

Back

WordPress WPML Plugin <= 3.1.8 - SQL Injection #1

Product
WPML - WordPress Multilingual
Description
Because of the "menu sync" function, remote attackers can delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. Related records: http://db.threatpress.com/vulnerability/wpml---wordpress-multilingual-/wordpress-wpml-plugin-3-1-8-sql-injection-2
Solution
Update the plugin.
Classification
Type SQL Injection
OWASP Top 10 A1: Injection
References
CVE Mitre
CVE
Name CVE-2015-2791
Versions
Affected In <= 3.1.8
Fixed In 3.1.9
Disclosure date
2015-03-30