cnvd - cnvd-2015-03334

cnvd-2015-03334

Vulnerability from cnvd

Title: WordPress插件WP Symposium 'forum.php' SQL注入漏洞

Description:

WordPress是一种使用PHP语言开发的博客平台，用户可以在支持PHP和MySQL数据库的服务器上架设自己的网志。WP Symposium plugin for WordPress是一款wordpress的应用插件。

WP Symposium plugin for WordPress 'forum.php'脚本存在SQL注入漏洞，允许远程攻击者利用漏洞提交特制的SQL查询，操作或获取数据库数据。

Severity: 高

Patch Name: WordPress插件WP Symposium 'forum.php' SQL注入漏洞的补丁

Patch Description:

WordPress插件WP Symposium 'forum.php'脚本存在SQL注入漏洞，允许远程攻击者利用漏洞提交特制的SQL查询，操作或获取数据库数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下厂商提供的安全补丁以修复该漏洞： https://wordpress.org/plugins/wp-symposium/

Reference: http://packetstormsecurity.com/files/131801/WordPress-WP-Symposium-15.1-SQL-Injection.html

Impacted products

Name
Wordpress WP Symposium Plugin <15.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-3325"
    }
  },
  "description": "WordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002WP Symposium plugin for WordPress\u662f\u4e00\u6b3ewordpress\u7684\u5e94\u7528\u63d2\u4ef6\u3002\r\n\r\nWP Symposium plugin for WordPress \u0027forum.php\u0027\u811a\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u5236\u7684SQL\u67e5\u8be2\uff0c\u64cd\u4f5c\u6216\u83b7\u53d6\u6570\u636e\u5e93\u6570\u636e\u3002",
  "discovererName": "Hannes Trunde",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://wordpress.org/plugins/wp-symposium/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-03334",
  "openTime": "2015-05-26",
  "patchDescription": "WordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002WP Symposium plugin for WordPress\u662f\u4e00\u6b3ewordpress\u7684\u5e94\u7528\u63d2\u4ef6\u3002\r\n\r\nWordPress\u63d2\u4ef6WP Symposium \u0027forum.php\u0027\u811a\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u5236\u7684SQL\u67e5\u8be2\uff0c\u64cd\u4f5c\u6216\u83b7\u53d6\u6570\u636e\u5e93\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress\u63d2\u4ef6WP Symposium \u0027forum.php\u0027 SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Wordpress WP Symposium Plugin \u003c15.4"
  },
  "referenceLink": "http://packetstormsecurity.com/files/131801/WordPress-WP-Symposium-15.1-SQL-Injection.html",
  "serverity": "\u9ad8",
  "submitTime": "2015-05-20",
  "title": "WordPress\u63d2\u4ef6WP Symposium \u0027forum.php\u0027 SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2015-3325 (GCVE-0-2015-3325)

Vulnerability from cvelistv5

Published

2015-05-15 18:00

Modified

2024-08-06 05:47

Severity ?

CWE

Summary

SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/74237	vdb-entry, x_refsource_BID
	http://packetstormsecurity.com/files/131801/WordPress-WP-Symposium-15.1-SQL-Injection.html	x_refsource_MISC
	https://www.exploit-db.com/exploits/37080/	exploit, x_refsource_EXPLOIT-DB

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:47:57.252Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "74237",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/74237"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/131801/WordPress-WP-Symposium-15.1-SQL-Injection.html"
          },
          {
            "name": "37080",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/37080/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-05-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2015-06-02T15:57:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "74237",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/74237"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/131801/WordPress-WP-Symposium-15.1-SQL-Injection.html"
        },
        {
          "name": "37080",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/37080/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-3325",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "74237",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/74237"
            },
            {
              "name": "http://packetstormsecurity.com/files/131801/WordPress-WP-Symposium-15.1-SQL-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/131801/WordPress-WP-Symposium-15.1-SQL-Injection.html"
            },
            {
              "name": "37080",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/37080/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-3325",
    "datePublished": "2015-05-15T18:00:00",
    "dateReserved": "2015-04-16T00:00:00",
    "dateUpdated": "2024-08-06T05:47:57.252Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted