Description
The EazyDocs WordPress plugin before 2.3.4 does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/44f5a29a-05f9-40d2-80f2-6fb2bda60d79
Scores
CVSS v3
8.8
EPSS
0.0085
EPSS Percentile
53.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
spider-themes/eazydocs
< 2.3.4
Published
Dec 11, 2023
Tracked Since
Feb 18, 2026