CVE-2014-5182

yawpp 1.2 - Authenticated SQL Injection via id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5182. PoCs published by certuscyber.

AI-analyzed exploit summary The repository contains a functional Python-based PoC for CVE-2014-5182, demonstrating a UNION-based SQL injection in the WordPress YAWPP plugin (versions <= 1.2). The exploit authenticates to WordPress, injects a malicious SQL payload via the 'id' parameter, and exfiltrates database version information.

Description

Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php, as demonstrated by the id parameter in the update action to wp-admin/admin.php.

Exploits (1)

github WORKING POC 3 stars
by certuscyber · pythonpoc
https://github.com/certuscyber/cve-pocs/tree/main/CVE-2014-5182

The repository contains a functional Python-based PoC for CVE-2014-5182, demonstrating a UNION-based SQL injection in the WordPress YAWPP plugin (versions <= 1.2). The exploit authenticates to WordPress, injects a malicious SQL payload via the 'id' parameter, and exfiltrates database version information.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress YAWPP plugin <= 1.2
Auth required
Prerequisites: WordPress installation with YAWPP plugin <= 1.2 · Valid WordPress credentials (contributor role or higher)
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Scores

EPSS 0.0227
EPSS Percentile 80.8%

Details

CWE
CWE-89
Status published
Products (1)
ostenta/yawpp 1.2
Published Aug 06, 2014
Tracked Since Feb 18, 2026