CVE-2014-6242

All In One WP Security & Firewall <3.8.3 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6242. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in the All In One WP Security WordPress plugin via the 'orderby' and 'order' parameters. It uses DNS exfiltration to extract database information, such as the version, by crafting malicious URLs.

Description

Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/34781

View Code ZIP pw:eip

The exploit demonstrates SQL injection vulnerabilities in the All In One WP Security WordPress plugin via the 'orderby' and 'order' parameters. It uses DNS exfiltration to extract database information, such as the version, by crafting malicious URLs.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: All In One WP Security WordPress plugin 3.8.2 and prior

Auth required

Prerequisites: Administrative access to the WordPress plugin or a logged-in administrator tricked via CSRF

MITRE ATT&CK