PT-2021-15927 · WordPress · Easy Testimonial Manager

Syed Sheeraz Ali

Published

2021-09-06

Updated

2021-09-09

CVE-2021-24394

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Easy Testimonial Manager WordPress plugin versions 1.2.0 and earlier

Description The issue is related to the id GET parameter in the Easy Testimonial Manager WordPress plugin, which is not properly sanitized, escaped, or validated before being inserted into a SQL statement. This leads to SQL injection.

Recommendations For versions 1.2.0 and earlier, update to a version that properly sanitizes the id GET parameter to prevent SQL injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-24394

Affected Products

Easy Testimonial Manager

PT-2021-15927 · WordPress · Easy Testimonial Manager

CVE-2021-24394

Weakness Enumeration

Related Identifiers

Affected Products

References · 5