CVE-2017-18570
cformsII <= 14.12.3 - Authenticated SQL Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The cforms2 plugin before 14.13 for WordPress has SQL injection in the tracking DB GUI via Delete Entries or Download Entries.
El plugin cforms2 versiones anteriores a 14.13 para WordPress, presenta una inyección SQL en la GUI de la DB de seguimiento por medio de Eliminar entradas o Descargar entradas.
The cformsII plugin for WordPress is vulnerable to generic SQL Injection via Delete Entries or Download Entries in versions up to, and including, 14.12.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for highly-privileged attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-04-24 CVE Published
- 2019-08-21 CVE Reserved
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://wordpress.org/plugins/cforms2/#developers | Release Notes |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cformsii Project Search vendor "Cformsii Project" | Cformsii Search vendor "Cformsii Project" for product "Cformsii" | < 14.13 Search vendor "Cformsii Project" for product "Cformsii" and version " < 14.13" | wordpress |
Affected
| ||||||