CVE-2012-5328

Name of the Vulnerable Software and Affected Versions Mingle Forum plugin versions prior to 1.0.33

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via the memberid or groupid parameters in a "removemember" action, the id parameter to "fs-admin/fs-admin.php", or the edit forum id parameter in an "edit save forum" action to "fs-admin/wpf-edit-forum-group.php".

Recommendations For Mingle Forum plugin versions prior to 1.0.33, update to version 1.0.33 or later to resolve the issue. As a temporary workaround, consider restricting access to the "fs-admin/fs-admin.php" and "fs-admin/wpf-edit-forum-group.php" endpoints until the update is applied. Avoid using the memberid, groupid, id, and edit forum id parameters in the affected actions until the issue is resolved.