CVE-2014-5183

2014-08-0619:55:04

CWE-89

mitre

web.nvd.nist.gov

cve-2014-5183

sql injection

simple retail menus

wordpress

remote authenticated editors

nvd

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

8.3

Confidence

Low

EPSS

0.001

Percentile

46.2%

JSON

SQL injection vulnerability in includes/mode-edit.php in the Simple Retail Menus (simple-retail-menus) plugin before 4.1 for WordPress allows remote authenticated editors to execute arbitrary SQL commands via the targetmenu parameter in an edit action to wp-admin/admin.php.

Affected configurations

Nvd

Node

simple_retail_menus_plugin_projectsimple-retail-menusRange≤4.0.1wordpress

simple_retail_menus_plugin_projectsimple-retail-menusMatch4.0wordpress

VendorProductVersionCPE
simple_retail_menus_plugin_projectsimple-retail-menus*cpe:2.3:a:simple_retail_menus_plugin_project:simple-retail-menus:*:*:*:*:*:wordpress:*:*
simple_retail_menus_plugin_projectsimple-retail-menus4.0cpe:2.3:a:simple_retail_menus_plugin_project:simple-retail-menus:4.0:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
simple_retail_menus_plugin_project	simple-retail-menus	*	cpe:2.3:a:simple_retail_menus_plugin_project:simple-retail-menus::::::wordpress::*
simple_retail_menus_plugin_project	simple-retail-menus	4.0	cpe:2.3:a:simple_retail_menus_plugin_project:simple-retail-menus:4.0:::::wordpress::

References

codevigilant.com/disclosure/wp-plugin-simple-retail-menus-a1-injection

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=861170%40simple-retail-menus&old=728969%40simple-retail-menus&sfp_email=&sfph_mail=#file1