Description

WordPress Plugin Ninja Announcements Lite is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Successful exploitation requires the "Author" role. WordPress Plugin Ninja Announcements Lite version 1.2.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.3 or latest

References

http://plugins.trac.wordpress.org/changeset/389179/ninja-announcements/trunk/ninja_annc.php?old=387277&old_path=ninja-announcements%2Ftrunk%2Fninja_annc.php

http://secunia.com/advisories/46398/

Related Vulnerabilities

Oracle Database Server CVE-2010-0902 Vulnerability (CVE-2010-0902)

Drupal Core 8.5.x Cross-Site Scripting (8.5.0 - 8.5.1)

MySQL CVE-2016-0598 Vulnerability (CVE-2016-0598)

WordPress 4.2.x Possible SQL Injection Vulnerability (4.2 - 4.2.16)

WordPress Plugin mb.YTPlayer for background videos Unspecified Vulnerability (1.7.2)

Severity

High

Classification

CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection