Description
WordPress Plugin Mingle Forum is prone to multiple SQL injection vulnerabilities and a security-bypass vulnerability because it fails to adequately sanitize user-supplied input. Exploiting the security-bypass issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The attacker can exploit the SQL-injection issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. This may compromise the application and may aid in further attacks. WordPress Plugin Mingle Forum versions 1.0.24 and 1.0.26 are vulnerable; other versions may also be affected.
Remediation
Update to plugin version 1.0.27 or latest
References
http://www.securityfocus.com/bid/45733/exploit
http://www.charleshooper.net/blog/multiple-vulnerabilities-in-mingle-forum-wordpress-plugin/
Related Vulnerabilities
WordPress Plugin SocialGrid 'default_services' Parameter Cross-Site Scripting (2.3)
MediaWiki Other Vulnerability (CVE-2005-0535)
WordPress Plugin dsIDXpress IDX Cross-Site Scripting (2.1.0)
Apache Tomcat CVE-2020-13943 Vulnerability (CVE-2020-13943)
WordPress Plugin Image Slider by Ays-Responsive Slider and Carousel SQL Injection (2.4.9)