Description

WordPress Plugin Visual Email Designer for WooCommerce is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Visual Email Designer for WooCommerce version 1.7.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.7.2 or latest

References

https://sploitus.com/exploit?id=WPEX-ID:D99CE21F-FBB6-429C-AA3B-19C4A5EB7557

https://plugins.svn.wordpress.org/email-customizer-woocommerce/trunk/Readme.txt

Related Vulnerabilities

Jenkins Improper Input Validation Vulnerability (CVE-2018-1999001)

WordPress Plugin WP HTML Author Bio Cross-Site Scripting (1.2.0)

WordPress Direct Request ('Forced Browsing') Vulnerability (CVE-2005-1688)

WordPress Plugin Playbuzz Cross-Site Scripting (0.8.1)

WordPress Plugin Relevanssi-A Better Search 'Seach Query' Field HTML Injection (2.7.2)

Severity

High

Classification

CVE-2022-3860 CWE-89 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection