WP-Advanced-Search < 3.3.7 - Authenticated SQL Injection



Description
The import functionality to restore plugin settings within the admin pages was vulnerable to SQL Injection through a privileged user with the edit_posts capability.

Affects Plugin

fixed in version 3.3.7

References

CVE 2020-12104

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Nawaf Alkeraithe, Hashim Alshareef
Submitter Nawaf
Submitter Twitter @NawafAlkeraithe @HashimAlshareff
Views 1259
Verified No
WPVDB ID 10199

Timeline

Publicly Published 2020-04-28 (28 days ago)
Added 2020-04-29 (26 days ago)
Last Updated 2020-04-30 (25 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin