0.002 Low
EPSS
Percentile
57.0%
The code in dukapress/download.php does not sanitize user input from $_GET[‘id’] before passing it to query() allowing SQL to be injected. The user is not required to be logged into WordPress in order to exploit this vulnerability.
vapid.dhs.org/advisory.php?v=152