CVE-2015-2314

Wpml < 3.1.8 - SQL Injection

Title source: rule

Description

SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/36414

View Code ZIP pw:eip

References (6)

[Exploit] http://klikki.fi/adv/wpml.html

[Exploit] http://packetstormsecurity.com/files/130810/WordPress-WPML-XSS-Deletion-SQL-Injection.html

[Exploit] http://seclists.org/fulldisclosure/2015/Mar/71

[Vendor Advisory] http://wpml.org/2015/03/wpml-security-update-bug-and-fix/

[Third Party Advisory, VDB Entry] http://www.osvdb.org/119541

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/534862/100/0/threaded

Scores

EPSS 0.2272

EPSS Percentile 95.9%

Details

CWE

CWE-89

Status published

Products (1)

wpml/wpml < 3.1.8

Published Mar 17, 2015

Tracked Since Feb 18, 2026