CVE-2015-2199

Name of the Vulnerable Software and Affected Versions WonderPlugin Audio Player plugin versions prior to 2.1

Description The issue allows remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin audio save item action to /wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the wonderplugin audio show item, wonderplugin audio show items, or wonderplugin audio edit item page to /wp-admin/admin.php.

Recommendations For WonderPlugin Audio Player plugin versions prior to 2.1, update to version 2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-admin/admin-ajax.php and /wp-admin/admin.php API endpoints until the update is applied. Avoid using the item[id] and itemid parameters in the affected actions and pages until the issue is resolved.