CVE-2015-2824

Name of the Vulnerable Software and Affected Versions Simple Ads Manager plugin versions prior to 2.7.97 for WordPress

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different actions to specific API endpoints, such as the "hits[][]" parameter in a "sam hits" action to "sam-ajax.php", the "cstr" parameter in a "load posts" action to "sam-ajax-admin.php", the "searchTerm" parameter in a "load combo data" action to "sam-ajax-admin.php", or various role parameters (subscriber, contributor, author, editor, admin, or sadmin) in a "load users" action to "sam-ajax-admin.php".

Recommendations For Simple Ads Manager plugin versions prior to 2.7.97, update to version 2.7.97 or later to resolve the issue. As a temporary workaround, consider restricting access to the "sam-ajax.php" and "sam-ajax-admin.php" endpoints until the update is applied. Additionally, limiting the use of the vulnerable parameters (hits[][], cstr, searchTerm, subscriber, contributor, author, editor, admin, or sadmin) in the respective actions can help minimize the risk of exploitation.