CVE-2014-6242

Name of the Vulnerable Software and Affected Versions All In One WP Security & Firewall plugin versions prior to 3.8.3

Description The issue allows remote authenticated users to execute arbitrary SQL commands via the orderby or order parameter in the aiowpsec page to wp-admin/admin.php. This can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

Recommendations For versions prior to 3.8.3, update to version 3.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the aiowpsec page in wp-admin/admin.php to minimize the risk of exploitation. Avoid using the orderby and order parameters in the affected page until the issue is resolved.