Description

WordPress Plugin Flexi Quote Rotator is prone to a cross-site request forgery vulnerability and an SQL injection vulnerability. Attackers may exploit these issues to compromise the application, access or modify data, exploit vulnerabilities in the underlying database or to perform unauthorized actions by enticing a logged-in user to visit a malicious site. WordPress Plugin Flexi Quote Rotator version 0.9 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 0.9.3 or latest

References

http://ceriksen.com/2012/07/25/wordpress-flexi-quote-rotator-plugin-multiple-vulnerabilities/

http://secunia.com/advisories/49910/

Related Vulnerabilities

WordPress Plugin WPtouch 'wptouch_settings' Parameter Cross-Site Scripting (1.9.20)

MySQL CVE-2020-14568 Vulnerability (CVE-2020-14568)

WordPress Plugin PublishPress Future: Automatically Unpublish WordPress Posts Security Bypass (2.5.1)

SharePoint CVE-2020-1444 Vulnerability (CVE-2020-1444)

Drupal Core 6.x Information Disclosure (6.0 - 6.30)

Severity

High

Classification

CWE-89 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update CSRF SQL Injection