Description SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. Remediation References CVE-2019-17304 Related Vulnerabilities WordPress Plugin WPBook Cross-Site Request Forgery (2.7) MySQL CVE-2016-0650 Vulnerability (CVE-2016-0650) WordPress Plugin Total GDPR Compliance Lite-WordPress for GDPR Compatibility includes Backdoor [Only if downloaded via the vendor website] (1.0.4) WordPress Plugin DukaPress SQL Injection (2.5.9) WordPress Plugin Image Optimizer, Resizer and CDN-Sirv SQL Injection (1.3.1) Severity High Classification CVE-2019-17304 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Tags Missing Update Known Vulnerabilities