CVE-2011-1047

Name of the Vulnerable Software and Affected Versions VastHTML Forum Server (aka ForumPress) plugin versions 1.6.1 through 1.6.5

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the search max parameter in a "search" action to "index.php", the id parameter in an "editpost" action to "index.php", or the topic parameter to "feed.php". These parameters are not properly handled by the respective scripts, leading to potential SQL injection.

Recommendations For VastHTML Forum Server (aka ForumPress) plugin versions 1.6.1 through 1.6.5, consider disabling the search and editpost actions in "index.php" and restrict access to "feed.php" until a patch is available. Avoid using the search max, id, and topic parameters in the affected API endpoints until the issue is resolved.