CVE-2015-2791

Wpml < 3.1.8 - Access Control

Title source: rule

Description

The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php.

Exploits (1)

exploitdb WRITEUP

by Jouko Pynnonen · textwebappsphp

https://www.exploit-db.com/exploits/36414

View Code ZIP pw:eip

References (5)

Core 5

Core References

Vendor Advisory x_refsource_confirm

https://wpml.org/2015/03/wpml-security-update-bug-and-fix/

Exploit x_refsource_misc

http://klikki.fi/adv/wpml.html

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2015/Mar/71

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/534862/100/0/threaded

Exploit x_refsource_misc

http://packetstormsecurity.com/files/130810/WordPress-WPML-XSS-Deletion-SQL-Injection.html

Scores

EPSS 0.1744

EPSS Percentile 95.1%

Details

CWE

CWE-264

Status published

Products (1)

wpml/wpml < 3.1.8

Published Mar 30, 2015

Tracked Since Feb 18, 2026