CVE-2014-6242 - OpenCVE

Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tips And Tricks Hq	All In One Wordpress Security And Firewall

Configuration 1 [-]

cpe:2.3:a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html
http://www.exploit-db.com/exploits/34781
http://www.securityfocus.com/archive/1/533519/100/0/threaded
http://www.securityfocus.com/bid/70150
https://exchange.xforce.ibmcloud.com/vulnerabilities/96204
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog
https://www.htbridge.com/advisory/HTB23231

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-10-02T14:00:00

Updated: 2024-08-06T12:10:12.730Z

Reserved: 2014-09-04T00:00:00

Link: CVE-2014-6242

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-10-02T14:55:04.823

Modified: 2018-10-09T19:50:22.537

Link: CVE-2014-6242

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-09-24T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog"}, {"name": "34781", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/34781"}, {"name": "70150", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/70150"}, {"tags": ["x_refsource_MISC"], "url": "https://www.htbridge.com/advisory/HTB23231"}, {"name": "20140924 Two SQL Injections in All In One WP Security WordPress plugin", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/533519/100/0/threaded"}, {"name": "allinone-wp-cve20146242-sql-injection(96204)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96204"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-6242", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html"}, {"name": "https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog", "refsource": "CONFIRM", "url": "https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog"}, {"name": "34781", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/34781"}, {"name": "70150", "refsource": "BID", "url": "http://www.securityfocus.com/bid/70150"}, {"name": "https://www.htbridge.com/advisory/HTB23231", "refsource": "MISC", "url": "https://www.htbridge.com/advisory/HTB23231"}, {"name": "20140924 Two SQL Injections in All In One WP Security WordPress plugin", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/533519/100/0/threaded"}, {"name": "allinone-wp-cve20146242-sql-injection(96204)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96204"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T12:10:12.730Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog"}, {"name": "34781", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/34781"}, {"name": "70150", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/70150"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.htbridge.com/advisory/HTB23231"}, {"name": "20140924 Two SQL Injections in All In One WP Security WordPress plugin", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/533519/100/0/threaded"}, {"name": "allinone-wp-cve20146242-sql-injection(96204)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96204"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-6242", "datePublished": "2014-10-02T14:00:00", "dateReserved": "2014-09-04T00:00:00", "dateUpdated": "2024-08-06T12:10:12.730Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1DDAA14D-0E5C-4A33-9418-8E54480F7876", "versionEndIncluding": "3.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en el plugin All In One WP Security & Firewall anterior a 3.8.3 para WordPress permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro (1) orderby o (2) order en la p\u00e1gina aiowpsec en wp-admin/admin.php. NOTA: este problema puede ser aprovechado al utilizar CSRF para permitir a atacantes remotos ejecutar comandos SQL arbitrarios."}], "id": "CVE-2014-6242", "lastModified": "2018-10-09T19:50:22.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-02T14:55:04.823", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/34781"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/533519/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/70150"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96204"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.htbridge.com/advisory/HTB23231"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}