CVE-2015-4109

Name of the Vulnerable Software and Affected Versions Users Ultra plugin versions prior to 1.5.16

Description The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the data target or data vote parameter in a rating vote (wp ajax nopriv rating vote) action to "wp-admin/admin-ajax.php" API endpoint.

Recommendations For versions prior to 1.5.16, update to version 1.5.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin-ajax.php API endpoint for unauthenticated users until the update is applied. Avoid using the data target and data vote parameters in the affected API endpoint until the issue is resolved.