PT-2020-20228 · WordPress · Participants Database Plugin

Published

2020-02-10

Updated

2020-02-25

CVE-2020-8596

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Participants Database plugin versions 1.9.5.5 and earlier

Description The issue allows for a time-based SQL injection via the ascdesc, list filter count, or sortBy parameters in the participants-database.php file. This can lead to data exfiltration and potentially code execution under certain conditions.

Recommendations For versions 1.9.5.5 and earlier, consider disabling the participants-database.php file or restricting access to it until a patch is available. Avoid using the ascdesc, list filter count, or sortBy parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-8596

Affected Products

Participants Database Plugin

PT-2020-20228 · WordPress · Participants Database Plugin

CVE-2020-8596

Weakness Enumeration

Related Identifiers

Affected Products

References · 4