CVE-2020-13640 – Comments - wpDiscuz <= 5.3.5 - Blind SQL Injection via order Parameter

https://notcve.org/view.php?id=CVE-2020-13640

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.) Un problema de inyección SQL en el plugin gVectors wpDiscuz versiones 5.3.5 y anteriores para WordPress, permite a los atacantes remotos ejecutan comandos SQL arbitrarios por medio del parámetro order de una petición de wpdLoadMoreComments. (versiones 7.x no están afectadas) • https://github.com/asterite3/CVE-2020-13640 http://www.openwall.com/lists/oss-security/2020/07/06/1 https://plugins.trac.wordpress.org/browser/wpdiscuz/tags/5.3.6 https://plugins.trac.wordpress.org/changeset/2323200 https://wordpress.org/plugins/wpdiscuz/#developers https://wpdiscuz.com/community/news/security-vulnerability-issue-in-5-3-5-please-udate • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •