Cart66 Lite <= 1.5.3 - SQL Injection



Description
The QSA named ‘q’ for the ‘promotionProductSearch’ AJAX call is not being sanitized, which allows for MySQL injection utilizing a UNION. The user must be logged in for this to be applicable. The output is JSON encoded, however is a pure representation of the data returned from a MySQL query.

Affects Plugin

fixed in version 1.5.4

References

CVE 2014-9442
URL https://research.g0blin.co.uk/cve-2014-9442/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 640
Verified No
WPVDB ID 7737

Timeline

Added 2015-01-01 (almost 4 years ago)
Last Updated 2015-11-12 (almost 3 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.