Description

WordPress Plugin Easy Contact Form Lite is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Easy Contact Form Lite version 1.0.7 is vulnerable; other versions may also be affected.

Remediation

Update to the latest version

References

http://www.securityfocus.com/bid/49206/exploit

http://www.exploit-db.com/exploits/17680/

http://packetstormsecurity.com/files/view/104153/wpecfl-sql.txt

Related Vulnerabilities

WordPress Plugin Revive Old Post-Auto Post to Social Media 'cat' Parameter SQL Injection (3.2.5)

Oracle Application Server CVE-2009-0996 Vulnerability (CVE-2009-0996)

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Local File Inclusion (1.3.64)

WordPress Cleartext Storage of Sensitive Information Vulnerability (CVE-2017-14990)

WordPress Plugin Smush Image Compression and Optimization Directory Traversal (2.7.5)

Severity

High

Classification

CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection