Description

WordPress Plugin Visual Email Designer for WooCommerce is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Visual Email Designer for WooCommerce version 1.7.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.7.2 or latest

References

https://sploitus.com/exploit?id=WPEX-ID:D99CE21F-FBB6-429C-AA3B-19C4A5EB7557

https://plugins.svn.wordpress.org/email-customizer-woocommerce/trunk/Readme.txt

Related Vulnerabilities

WordPress Plugin WP-Filebase Download Manager Multiple Unspecified Vulnerabilities (0.2.9.24)

WordPress Plugin My Tickets Cross-Site Scripting (1.8.30)

WordPress Plugin DFD Reddcoin Tips Cross-Site Scripting (1.1.1)

WordPress Plugin WP YouTube Live Cross-Site Scripting (1.7.21)

WordPress Plugin MW Font Changer Cross-Site Scripting (4.2.5)

Severity

High

Classification

CVE-2022-3860 CWE-89 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection