Description
The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/a8625b84-337d-4c4d-a698-73e59d1f8ee1
Scores
CVSS v3
8.8
EPSS
0.0132
EPSS Percentile
67.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
mandsconsulting/email_before_download
< 6.8
Published
Nov 29, 2021
Tracked Since
Feb 18, 2026