CVE-2015-2314

WPML < 3.1.8 - SQL Injection via HTTP Referer Header

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2314.

AI-analyzed exploit summary The document details three vulnerabilities in WPML (WordPress Multilingual Plugin), including an unauthenticated SQL injection via crafted HTTP referer, arbitrary post/page deletion due to missing access controls, and a reflected XSS vulnerability. It provides technical explanations and proof-of-concept examples for each issue.

Description

SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/36414

View Code ZIP pw:eip

The document details three vulnerabilities in WPML (WordPress Multilingual Plugin), including an unauthenticated SQL injection via crafted HTTP referer, arbitrary post/page deletion due to missing access controls, and a reflected XSS vulnerability. It provides technical explanations and proof-of-concept examples for each issue.

Classification

Writeup 100%

Attack Type

Sqli | Xss | Other

Complexity

Trivial

Reliability

Reliable

Target: WPML (WordPress Multilingual Plugin) < 3.1.9.1

No auth needed

Prerequisites: Access to the target WordPress site · Ability to send crafted HTTP requests

MITRE ATT&CK