PT-2017-14657 · WordPress · Inlinks
Published
2017-11-27
·
Updated
2017-12-07
·
CVE-2017-16955
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
InLinks plugin versions through 1.1 for WordPress
Description
The issue allows authenticated users to execute arbitrary SQL commands. This is achieved via the "keyword" parameter to the "/wp-admin/options-general.php?page=inlinks/inlinks.php" API endpoint. The
keyword parameter is used in this exploitation.Recommendations
For InLinks plugin versions through 1.1, consider disabling access to the "/wp-admin/options-general.php?page=inlinks/inlinks.php" endpoint until a patch is available. Avoid using the
keyword parameter in the affected endpoint to minimize the risk of exploitation.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Inlinks