Vulnerability Description
SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_products_table action to wp-admin/admin-ajax.php.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Reality66 | Cart66 Lite | <= 1.5.1.17 |
Related Weaknesses (CWE)
References
- http://osvdb.org/show/osvdb/115286
- http://packetstormsecurity.com/files/129395/Cart66-Lite-WordPress-Ecommerce-1.5.Exploit
- http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injectExploit
- http://www.exploit-db.com/exploits/35459Exploit
- https://wordpress.org/plugins/cart66-lite/changelog/PatchVendor Advisory
- http://osvdb.org/show/osvdb/115286
- http://packetstormsecurity.com/files/129395/Cart66-Lite-WordPress-Ecommerce-1.5.Exploit
- http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injectExploit
- http://www.exploit-db.com/exploits/35459Exploit
- https://wordpress.org/plugins/cart66-lite/changelog/PatchVendor Advisory
FAQ
What is CVE-2014-9305?
CVE-2014-9305 is a vulnerability with a CVSS score of 6.5 (MEDIUM). SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary ...
How severe is CVE-2014-9305?
CVE-2014-9305 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9305?
Check the references section above for vendor advisories and patch information. Affected products include: Reality66 Cart66 Lite.