CVE-2015-2791

WPML < 3.1.8 - Unauthenticated Arbitrary Post Deletion via Menu Sync Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2791. PoCs published by Jouko Pynnonen.

AI-analyzed exploit summary The document describes three vulnerabilities in WPML (WordPress Multilingual Plugin) including an unauthenticated SQL injection via crafted HTTP referer, unauthorized page/post/menu deletion, and a reflected XSS. The SQL injection allows database content extraction, including user hashes.

Description

The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php.

Exploits (1)

exploitdb WRITEUP
by Jouko Pynnonen · textwebappsphp
https://www.exploit-db.com/exploits/36414

The document describes three vulnerabilities in WPML (WordPress Multilingual Plugin) including an unauthenticated SQL injection via crafted HTTP referer, unauthorized page/post/menu deletion, and a reflected XSS. The SQL injection allows database content extraction, including user hashes.

Classification
Writeup 100%
Attack Type
Sqli | Xss | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WPML < 3.1.9.1
No auth needed
Prerequisites: WordPress with vulnerable WPML plugin installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit x_refsource_misc
http://klikki.fi/adv/wpml.html
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Mar/71
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534862/100/0/threaded

Scores

EPSS 0.1339
EPSS Percentile 95.9%

Details

CWE
CWE-264
Status published
Products (1)
wpml/wpml < 3.1.8
Published Mar 30, 2015
Tracked Since Feb 18, 2026