Description

WordPress Plugin Post Indexer (WPMU DEV) is prone to multiple vulnerabilities, including SQL injection and arbitrary code execution vulnerabilities. Exploiting these issues could allow an attacker to access or modify data, to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, or to compromise a vulnerable system. WordPress Plugin Post Indexer (WPMU DEV) version 3.0.6.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.0.6.2 or latest

References

https://security.dxw.com/advisories/sql-injection-in-post-indexer-allows-super-admins-to-read-the-contents-of-the-database/

https://security.dxw.com/advisories/unserialisation-in-post-indexer-could-allow-man-in-the-middle-to-execute-arbitrary-code-in-some-circumstances/

http://seclists.org/fulldisclosure/2016/Nov/91

http://seclists.org/fulldisclosure/2016/Nov/107

Related Vulnerabilities

phpMyFAQ Authentication Bypass by Capture-replay Vulnerability (CVE-2023-1886)

MySQL CVE-2017-3455 Vulnerability (CVE-2017-3455)

Ruby on Rails Improper Input Validation Vulnerability (CVE-2013-1856)

MODX Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-8774)

WordPress Plugin WP Courses LMS Cross-Site Scripting (2.0.43)

Severity

High

Classification

CWE-89 CWE-94 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update