CVE-2015-9323

CRITICAL NUCLEI

404_to_301 < 2.0.3 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-9323. PoCs published by Ron Jost. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an authenticated SQL injection vulnerability in the WordPress plugin '404 to 301' version 2.0.2 or earlier. It authenticates to WordPress and generates a sqlmap command to exploit the vulnerability in the 'orderby' parameter.

Description

The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

Exploits (1)

exploitdb WORKING POC

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/50698

View Code ZIP pw:eip

This exploit demonstrates an authenticated SQL injection vulnerability in the WordPress plugin '404 to 301' version 2.0.2 or earlier. It authenticates to WordPress and generates a sqlmap command to exploit the vulnerability in the 'orderby' parameter.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Plugin 404 to 301 <= 2.0.2

Auth required

Prerequisites: WordPress installation with vulnerable plugin · Valid WordPress credentials

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection

CRITICALVERIFIEDby Harsh

References (2)

Core 2

Core References

Issue Tracking, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/404-to-301/#developers

Exploit, Third Party Advisory x_refsource_misc

https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2015-9323

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.7237

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

duckdev/404_to_301 < 2.0.3

Published Aug 16, 2019

Tracked Since Feb 18, 2026