CVE-2014-8810

WP Symposium <14.11 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8810. PoCs published by Kacper Szurek.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in WP Symposium 14.10 via the unsanitized `$_POST['tray']` parameter. The PoC provides a form to inject malicious SQL queries, potentially leaking sensitive data like user passwords.

Description

SQL injection vulnerability in ajax/mail_functions.php in the WP Symposium plugin before 14.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tray parameter in a getMailMessage action.

Exploits (1)

exploitdb WORKING POC

by Kacper Szurek · textwebappsphp

https://www.exploit-db.com/exploits/35505

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in WP Symposium 14.10 via the unsanitized `$_POST['tray']` parameter. The PoC provides a form to inject malicious SQL queries, potentially leaking sensitive data like user passwords.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WP Symposium 14.10

Auth required

Prerequisites: Valid message ID from the user's sent items · Access to the WordPress installation with WP Symposium plugin

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit x_refsource_misc

http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/35505

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/62643

Vendor Advisory x_refsource_misc

http://www.wpsymposium.com/2014/11/release-information-for-v14-11/

Scores

EPSS 0.0372

EPSS Percentile 88.4%

Details

CWE

CWE-89

Status published

Products (1)

wpsymposiumpro/wp_symposium < 14.10

Published Dec 24, 2014

Tracked Since Feb 18, 2026