Give <= 2.5.0 - SQL Injection



Description
"A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php or includes/donors/class-give-donors-query.php"

Affects Plugin

fixed in version 2.5.1

References

CVE 2019-13578
URL https://fortiguard.com/zeroday/FG-VD-19-098
URL https://github.com/impress-org/give/commit/d91f4c6dcc92aeb826b060cb2feadd56885f4cea
URL https://github.com/impress-org/give/commit/97b9b5fae2d10742ee42fe00092729fa7da3cb32
URL https://github.com/impress-org/give/commit/894937d7927eab0c98457656cbd6fb414b3a6fbf

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Tin Duong of Fortinet's FortiGuard Labs
Views 2162
Verified No
WPVDB ID 9504

Timeline

Publicly Published 2019-08-12 (13 days ago)
Added 2019-08-12 (13 days ago)
Last Updated 2019-08-21 (4 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin