CVE-2014-1854

SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/57079	Vendor Advisory
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5	Vendor Advisory
http://www.exploit-db.com/exploits/31834	Exploit
http://www.securityfocus.com/archive/1/531176/100/0/threaded
http://www.securityfocus.com/bid/65709
https://exchange.xforce.ibmcloud.com/vulnerabilities/91253
https://www.htbridge.com/advisory/HTB23201	Exploit
http://secunia.com/advisories/57079	Vendor Advisory
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5	Vendor Advisory
http://www.exploit-db.com/exploits/31834	Exploit
http://www.securityfocus.com/archive/1/531176/100/0/threaded
http://www.securityfocus.com/bid/65709
https://exchange.xforce.ibmcloud.com/vulnerabilities/91253
https://www.htbridge.com/advisory/HTB23201	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:adrotateplugin:adrotate:3.9.::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.1::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.1::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.2::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.2::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.3::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.3::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.4::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.4::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.5::pro::wordpress:::*

History

21 Nov 2024, 02:05

Type	Values Removed	Values Added
References	~~() http://secunia.com/advisories/57079 - Vendor Advisory~~	() http://secunia.com/advisories/57079 - Vendor Advisory
References	~~() http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5 - Vendor Advisory~~	() http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5 - Vendor Advisory
References	~~() http://www.exploit-db.com/exploits/31834 - Exploit~~	() http://www.exploit-db.com/exploits/31834 - Exploit
References	~~() http://www.securityfocus.com/archive/1/531176/100/0/threaded -~~	() http://www.securityfocus.com/archive/1/531176/100/0/threaded -
References	~~() http://www.securityfocus.com/bid/65709 -~~	() http://www.securityfocus.com/bid/65709 -
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/91253 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/91253 -
References	~~() https://www.htbridge.com/advisory/HTB23201 - Exploit~~	() https://www.htbridge.com/advisory/HTB23201 - Exploit

Information

Published : 2014-02-27 15:55

Updated : 2024-11-21 02:05

NVD link : CVE-2014-1854

Mitre link : CVE-2014-1854

CVE.ORG link : CVE-2014-1854

JSON object : View

Products Affected

adrotateplugin

adrotate

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.5 /10