CVE-2013-1408

Wysija Newsletters < 2.2 - SQL Injection

Title source: rule

Description

Multiple SQL injection vulnerabilities in the Wysija Newsletters plugin before 2.2.1 for WordPress allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search or (2) orderby parameter to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.

Exploits (1)

exploitdb WORKING POC VERIFIED

by High-Tech Bridge · textwebappsphp

https://www.exploit-db.com/exploits/38297

View Code ZIP pw:eip

References (6)

Core 6

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/120089/WordPress-Wysija-Newsletters-2.2-SQL-Injection.html

Exploit x_refsource_misc

https://www.htbridge.com/advisory/HTB23140

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/81932

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/89924

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/57775

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2013-02/0030.html

Scores

EPSS 0.0258

EPSS Percentile 85.6%

Details

CWE

CWE-89

Status published

Products (22)

wysija_newsletters_project/wysija_newsletters 2.0

wysija_newsletters_project/wysija_newsletters 2.0.1

wysija_newsletters_project/wysija_newsletters 2.0.2

wysija_newsletters_project/wysija_newsletters 2.0.3

wysija_newsletters_project/wysija_newsletters 2.0.4

wysija_newsletters_project/wysija_newsletters 2.0.5

wysija_newsletters_project/wysija_newsletters 2.0.6

wysija_newsletters_project/wysija_newsletters 2.0.7

wysija_newsletters_project/wysija_newsletters 2.0.8

wysija_newsletters_project/wysija_newsletters 2.0.9

... and 12 more

Published Mar 24, 2014

Tracked Since Feb 18, 2026