| Vector: | Remote |
| Severity: | Low |
| Patch: | Unpatched |
| Impact: | Data Manipulation |
| Software: | WordPress WP Symposium Plugin , vulnerable versions: <=14.12 |
SQL inection vulnerability was reported in WordPress WP Symposium Plugin.
Vulnerability is caused by an input validation error while processing the "tray" POST parameter to wp-symposium/ajax/mail_functions.php (when "action" is set to "getMailMessage" and "mid" is set to a valid message ID). A remote attacker can send a specially crafted request to the vulnerable application and execute arbitrary SQL commands in application`s database.
Further exploitation of this vulnerability may result in unauthorized data manipulation.
Links: http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html
