PT-2014-6324 · WordPress · Quartz Plugin
Anant Shrivastava
·
Published
2014-08-06
·
Updated
2014-08-07
·
CVE-2014-5185
CVSS v2.0
6.0
Medium
| Vector | AV:N/AC:M/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Quartz plugin version 1.01.1 for WordPress
Description
The issue allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands. This is achieved by exploiting the
quote parameter in an edit action in the quartz/quote form.php page to wp-admin/edit.php.Recommendations
For Quartz plugin version 1.01.1, avoid using the
quote parameter in the edit action until a patch is available. As a temporary workaround, consider restricting access to the quartz/quote form.php page for users with Contributor privileges to minimize the risk of exploitation.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Quartz Plugin