Description
WordPress Plugin Mingle Forum is prone to multiple SQL injection vulnerabilities and a security-bypass vulnerability because it fails to adequately sanitize user-supplied input. Exploiting the security-bypass issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The attacker can exploit the SQL-injection issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. This may compromise the application and may aid in further attacks. WordPress Plugin Mingle Forum versions 1.0.24 and 1.0.26 are vulnerable; other versions may also be affected.
Remediation
Update to plugin version 1.0.27 or latest
References
http://www.securityfocus.com/bid/45733/exploit
http://www.charleshooper.net/blog/multiple-vulnerabilities-in-mingle-forum-wordpress-plugin/
Related Vulnerabilities
WordPress Plugin wpcu3er 'ajaxReq.php' Arbitrary File Upload (0.55)
WordPress Plugin Fancy Product Designer-WooCommerce Cross-Site Scripting (3.4.1)
WordPress Plugin Broken Link Checker Cross-Site Scripting (1.10.1)
WordPress 3.9.x Cross-Domain Flash Injection Vulnerability (3.9 - 3.9.22)
WordPress Plugin Leaflet 'id' Parameter Cross-Site Scripting (0.0.1)