Detections
Analytics

WP Symposium Plugin for WordPress forum_functions.php 'topic_id' Parameter SQLi

high Nessus Plugin ID 85629

Language:

Synopsis

The remote web server hosts a web application that is affected by a SQL injection vulnerability.

Description

The WordPress WP Symposium Plugin installed on the remote host is affected by a SQL injection vulnerability due to a failure to properly sanitize user-supplied input to the 'topic_id' parameter of the forum_functions.php script. An unauthenticated, remote attacker can exploit this issue to conduct a blind SQL injection attack against the affected application, resulting in the manipulation or disclosure of arbitrary data.

Solution

Upgrade to WordPress WP Symposium Plugin version 15.8 or later.

See Also

https://seclists.org/fulldisclosure/2015/Aug/33

https://plugins.trac.wordpress.org/changeset/1214869

Plugin Details

Severity: High

ID: 85629

File Name: wordpress_wp_symposium_topic_id_sqli.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 8/25/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:wpsymposium:wp_symposium, cpe:/a:wordpress:wordpress

Required KB Items: installed_sw/WordPress, www/PHP

Patch Publication Date: 8/7/2015

Vulnerability Publication Date: 8/10/2015