CVE-2017-12199 — CRITICAL (9.8)

Vulnerability Description

The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQL injection with these wp-admin/admin-ajax.php POST actions: catalogue_update_order list-item, video_update_order video-item, image_update_order list-item, tag_group_update_order list_item, category_products_update_order category-product-item, custom_fields_update_order field-item, categories_update_order category-item, subcategories_update_order subcategory-item, and tags_update_order tag-list-item.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Etoilewebdesign	Ultimate Product Catalog	4.2.11

Related Weaknesses (CWE)

CWE-89

References

https://github.com/kevins1022/cve/blob/master/wordpress-product-catalog.mdExploitThird Party Advisory
https://github.com/kevins1022/cve/blob/master/wordpress-product-catalog.mdExploitThird Party Advisory

FAQ

What is CVE-2017-12199?

CVE-2017-12199 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQL injection with these wp-admin/admin-ajax.php POST actions: catalogue_update_order list-item, video_update_order video-item, imag...

How severe is CVE-2017-12199?

CVE-2017-12199 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-12199?

Check the references section above for vendor advisories and patch information. Affected products include: Etoilewebdesign Ultimate Product Catalog.