CVE-2015-2292
Summary
| CVE | CVE-2015-2292 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-03-17 15:59:00 UTC |
| Updated | 2016-12-03 03:04:00 UTC |
| Description | Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Yoast | Wordpress Seo | 1.6.0 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.0 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.3 | All | All | All |
| Application | Yoast | Wordpress Seo | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Yoast WordPress SEO WordPress Plugin Access Control Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks - SecurityTracker | SECTRACK | www.securitytracker.com | Exploit |
| WordPress SEO By Yoast 1.7.3.3 SQL Injection ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit |
| WordPress › WordPress SEO by Yoast « WordPress Plugins | CONFIRM | wordpress.org | |
| WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection | EXPLOIT-DB | www.exploit-db.com | |
| Full Disclosure: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection | FULLDISC | seclists.org | Exploit |
| WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection | MISC | wpvulndb.com | Exploit |
| WordPress SEO Security release • Yoast | CONFIRM | yoast.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.