Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcTJmLTNmZzMtcnc5Oc0yxg
SQL Injection in WordPress Zero Spam WordPress plugin
The WordPress Zero Spam WordPress plugin before 5.2.13 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection
Permalink: https://github.com/advisories/GHSA-pq2f-3fg3-rw99JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcTJmLTNmZzMtcnc5Oc0yxg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pq2f-3fg3-rw99, CVE-2022-0254
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0254
- https://plugins.trac.wordpress.org/changeset/2660225
- https://plugins.trac.wordpress.org/changeset/2680906
- https://wpscan.com/vulnerability/ae54681f-7b89-408c-b0ee-ba4a520db997
- https://github.com/Highfivery/zero-spam-for-wordpress/commit/49723f696f1e2f2a76ac89375910bb036a4895f3
- https://github.com/advisories/GHSA-pq2f-3fg3-rw99
Blast Radius: 1.0
Affected Packages
packagist:bmarshall511/wordpress_zero_spam
Dependent packages: 0Dependent repositories: 0
Downloads: 7 total
Affected Version Ranges: < 5.2.13
Fixed in: 5.2.13
All affected versions: 4.10.2, 5.0.8, 5.0.12, 5.0.13, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2.0, 5.2.2, 5.2.4, 5.2.5, 5.2.7, 5.2.8
All unaffected versions: 5.2.13, 5.2.14, 5.4.0, 5.4.5, 5.4.6, 5.4.7, 5.5.0, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6