PT-2018-13432 · WordPress · The Gift Vouchers Plugin

Published

2018-08-30

Updated

2018-10-19

CVE-2018-16159

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions The Gift Vouchers plugin versions prior to 2.0.2

Description The issue allows SQL Injection via the template id parameter in a "wp-admin/admin-ajax.php" wpgv doajax front template request. This could potentially lead to unauthorized access to sensitive data.

Recommendations For The Gift Vouchers plugin versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin-ajax.php endpoint to minimize the risk of exploitation. Avoid using the template id parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2018-16159

Affected Products

The Gift Vouchers Plugin

PT-2018-13432 · WordPress · The Gift Vouchers Plugin

CVE-2018-16159

Weakness Enumeration

Related Identifiers

Affected Products

References · 4