HTTP: WordPress Generic "ID" Parameter SQL Injection
This signature covers numerous vulnerabilities in WordPress Add-on Modules. Most modules are made by third-party groups that fail to protect against SQL injection. The WordPress "ID" parameter is a common target. This signature detects typical SQL commands sent to an ID parameter of a WordPress enabled website.
Extended Description
The WP Bannerize plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WP Bannerize versions 2.8.6 and prior are vulnerable.
Affected Products
Wordpress wp_bannerize
Short Name
HTTP:SQL:INJ:WORDPRESS-ID
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
"ID" CVE-2007-1897 CVE-2008-0490 CVE-2008-0507 CVE-2008-1646 CVE-2008-2034 CVE-2008-2510 CVE-2009-0968 Generic Injection Parameter SQL WordPress bid:49401
Release Date
09/01/2011
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Wordpress
CVSS Score
6.5
7.5