{"api_version":"1","generated_at":"2026-06-14T11:55:05+00:00","cve":"CVE-2014-3961","urls":{"html":"https://cve.report/CVE-2014-3961","api":"https://cve.report/api/cve/CVE-2014-3961.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-3961","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-3961"},"summary":{"title":"CVE-2014-3961","description":"SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an \"output CSV\" action to pdb-signup/.","state":"PUBLISHED","assigner":"mitre","published_at":"2014-06-04 14:55:07","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-89","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://packetstormsecurity.com/files/126878/WordPress-Participants-Database-1.5.4.8-SQL-Injection.html","name":"http://packetstormsecurity.com/files/126878/WordPress-Participants-Database-1.5.4.8-SQL-Injection.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"WordPress Participants Database 1.5.4.8 SQL Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://osvdb.org/show/osvdb/107626","name":"http://osvdb.org/show/osvdb/107626","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"0"},{"url":"https://wordpress.org/plugins/participants-database/changelog","name":"https://wordpress.org/plugins/participants-database/changelog","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"WordPress › Participants Database « WordPress Plugins","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.yarubo.com/advisories/1","name":"https://www.yarubo.com/advisories/1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","URL Repurposed"],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"http://www.exploit-db.com/exploits/33613","name":"http://www.exploit-db.com/exploits/33613","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"Wordpress Participants Database 1.5.4.8 - SQL Injection","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/67769","name":"http://www.securityfocus.com/bid/67769","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"WordPress Participants Database Plugin SQL Injection and Access Bypass Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://seclists.org/fulldisclosure/2014/Jun/0","name":"http://seclists.org/fulldisclosure/2014/Jun/0","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"Full Disclosure: Yarubo #1: Arbitrary SQL Execution in Participants Database\tfor Wordpress","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-3961","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3961","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"1.5.4.7","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"3961","vulnerable":"1","versionEndIncluding":"1.5.4.8","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xnau","cpe5":"participants_database","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T10:57:18.112Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/126878/WordPress-Participants-Database-1.5.4.8-SQL-Injection.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.yarubo.com/advisories/1"},{"name":"33613","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"http://www.exploit-db.com/exploits/33613"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://wordpress.org/plugins/participants-database/changelog"},{"name":"20140601 Yarubo #1: Arbitrary SQL Execution in Participants Database\tfor Wordpress","tags":["mailing-list","x_refsource_FULLDISC","x_transferred"],"url":"http://seclists.org/fulldisclosure/2014/Jun/0"},{"name":"107626","tags":["vdb-entry","x_refsource_OSVDB","x_transferred"],"url":"http://osvdb.org/show/osvdb/107626"},{"name":"67769","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/67769"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an \"output CSV\" action to pdb-signup/."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2014-06-04T14:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/126878/WordPress-Participants-Database-1.5.4.8-SQL-Injection.html"},{"tags":["x_refsource_MISC"],"url":"https://www.yarubo.com/advisories/1"},{"name":"33613","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"http://www.exploit-db.com/exploits/33613"},{"tags":["x_refsource_CONFIRM"],"url":"https://wordpress.org/plugins/participants-database/changelog"},{"name":"20140601 Yarubo #1: Arbitrary SQL Execution in Participants Database\tfor Wordpress","tags":["mailing-list","x_refsource_FULLDISC"],"url":"http://seclists.org/fulldisclosure/2014/Jun/0"},{"name":"107626","tags":["vdb-entry","x_refsource_OSVDB"],"url":"http://osvdb.org/show/osvdb/107626"},{"name":"67769","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/67769"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2014-3961","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an \"output CSV\" action to pdb-signup/."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://packetstormsecurity.com/files/126878/WordPress-Participants-Database-1.5.4.8-SQL-Injection.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/126878/WordPress-Participants-Database-1.5.4.8-SQL-Injection.html"},{"name":"https://www.yarubo.com/advisories/1","refsource":"MISC","url":"https://www.yarubo.com/advisories/1"},{"name":"33613","refsource":"EXPLOIT-DB","url":"http://www.exploit-db.com/exploits/33613"},{"name":"https://wordpress.org/plugins/participants-database/changelog","refsource":"CONFIRM","url":"https://wordpress.org/plugins/participants-database/changelog"},{"name":"20140601 Yarubo #1: Arbitrary SQL Execution in Participants Database\tfor Wordpress","refsource":"FULLDISC","url":"http://seclists.org/fulldisclosure/2014/Jun/0"},{"name":"107626","refsource":"OSVDB","url":"http://osvdb.org/show/osvdb/107626"},{"name":"67769","refsource":"BID","url":"http://www.securityfocus.com/bid/67769"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2014-3961","datePublished":"2014-06-04T14:00:00.000Z","dateReserved":"2014-06-04T00:00:00.000Z","dateUpdated":"2024-09-16T16:27:38.978Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2014-06-04 14:55:07","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-89","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"1.5.4.8","matchCriteriaId":"04358834-C853-44DC-B289-92640FFF705D"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4:*:*:*:*:wordpress:*:*","matchCriteriaId":"93D00F6B-85E5-48B9-AC9F-192D29237FD4"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4.1:*:*:*:*:wordpress:*:*","matchCriteriaId":"C1806461-1884-4DE8-8F7F-662A53DA0C28"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4.2:*:*:*:*:wordpress:*:*","matchCriteriaId":"1AF9B82A-4C29-4D1A-816E-15914155D16A"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4.3:*:*:*:*:wordpress:*:*","matchCriteriaId":"19154509-7445-4DB5-ABAD-8BCB1273C180"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4.4:*:*:*:*:wordpress:*:*","matchCriteriaId":"F98BAC02-69D8-4921-B076-18BCD59AC907"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4.5:*:*:*:*:wordpress:*:*","matchCriteriaId":"DA5D4784-FC07-47B1-8FD9-03AEB684206A"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4.6:*:*:*:*:wordpress:*:*","matchCriteriaId":"9F87C256-9049-41CF-8C5C-B3EE961CD972"},{"vulnerable":true,"criteria":"cpe:2.3:a:xnau:participants_database:1.5.4.7:*:*:*:*:wordpress:*:*","matchCriteriaId":"2782A534-D28D-4F60-A044-B09CB1FD1DB6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"3961","Ordinal":"1","Title":"CVE-2014-3961","CVE":"CVE-2014-3961","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"3961","Ordinal":"1","NoteData":"SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an \"output CSV\" action to pdb-signup/.","Type":"Description","Title":"CVE-2014-3961"},{"CveYear":"2014","CveId":"3961","Ordinal":"2","NoteData":"2014-06-04","Type":"Other","Title":"Published"}]}}}