CVE-2015-2292
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.4 High
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
61.4%
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
Affected configurations
References
packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html
seclists.org/fulldisclosure/2015/Mar/73
www.securitytracker.com/id/1031920
wordpress.org/plugins/wordpress-seo/changelog/
wpvulndb.com/vulnerabilities/7841
www.exploit-db.com/exploits/36413/
yoast.com/wordpress-seo-security-release/
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.4 High
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
61.4%