CVE-2016-0769

Name of the Vulnerable Software and Affected Versions eShop plugin version 6.3.14

Description The issue allows remote administrators to execute arbitrary SQL commands via the delid parameter or remote authenticated users to execute arbitrary SQL commands via the view, mark, or change parameter. This is due to multiple SQL injection vulnerabilities in the eshop-orders.php file of the eShop plugin for WordPress.

Recommendations For version 6.3.14, consider disabling the delid, view, mark, and change parameters in the eshop-orders.php file as a temporary workaround until a patch is available. Restrict access to the eshop-orders.php file to minimize the risk of exploitation. Avoid using the delid, view, mark, and change parameters in the affected API endpoint until the issue is resolved.