Vulnerability CVE-2019-10692

Vulnerability CVE-2019-10692

Published: 2019-04-02

Description:

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

See advisories in our WLB2 database:

	Topic	Author	Date
Med.	WordPress Rest Google Maps SQL Injection	Jonatas Fil	21.10.2020
Med.	WordPress Plugin Rest Google Maps < 7.11.18 SQL Injection	Jonatas Fil	26.10.2020

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

References:

http://www.rapid7.com/db/modules/auxiliary/admin/http/wp_google_maps_sqli

https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-google-maps&old=2061433&new_path=%2Fwp-google-maps&new=2061434&sfp_email=&sfph_mail=#file755

https://wordpress.org/plugins/wp-google-maps/#developers

Vulnerability CVE-2019-10692

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

See advisories in our WLB2 database:

Med.

WordPress Rest Google Maps SQL Injection

Med.

WordPress Plugin Rest Google Maps < 7.11.18 SQL Injection

CWE-20

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

7.5/10

6.4/10

10/10

Remote

Low

No required

Partial

Partial

Partial

References: