CVE-2014-9097

Name of the Vulnerable Software and Affected Versions Apptha WordPress Video Gallery (contus-video-gallery) plugin version 2.5

Description The issue concerns SQL injection vulnerabilities in the Apptha WordPress Video Gallery plugin. These vulnerabilities allow remote attackers to execute arbitrary SQL commands via the vid parameter in a "myextract" action to "wp-admin/admin-ajax.php". Additionally, remote authenticated users can execute arbitrary SQL commands via the playlistId parameter in the "newplaylist" page or the videoId parameter in a "newvideo" page to "wp-admin/admin.php".

Recommendations For Apptha WordPress Video Gallery (contus-video-gallery) plugin version 2.5, consider updating to a version released after 2014-07-23 to mitigate the risk of SQL injection attacks. As a temporary workaround, restrict access to the "wp-admin/admin-ajax.php" and "wp-admin/admin.php" endpoints to minimize the risk of exploitation. Avoid using the vid, playlistId, and videoId parameters in the affected pages until the issue is resolved.