Description
WordPress Plugin Mingle Forum is prone to multiple SQL injection vulnerabilities and a security-bypass vulnerability because it fails to adequately sanitize user-supplied input. Exploiting the security-bypass issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The attacker can exploit the SQL-injection issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. This may compromise the application and may aid in further attacks. WordPress Plugin Mingle Forum versions 1.0.24 and 1.0.26 are vulnerable; other versions may also be affected.
Remediation
Update to plugin version 1.0.27 or latest
References
http://www.securityfocus.com/bid/45733/exploit
http://www.charleshooper.net/blog/multiple-vulnerabilities-in-mingle-forum-wordpress-plugin/
Related Vulnerabilities
WordPress Plugin MP3-jPlayer Cross-Site Scripting (1.8.3)
WordPress Plugin Gravity Forms HubSpot Cross-Site Scripting (1.0.8)
WordPress Plugin Order Export & Order Import for WooCommerce Information Disclosure (1.0.8)
WordPress Plugin Import all XML, CSV & TXT into WordPress Information Disclosure (3.6.74)
WordPress Plugin Share This Image Cross-Site Scripting (1.03)