Vulnerability Description
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gvectors | Wpdiscuz | <= 5.3.5 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2020/07/06/1ExploitMailing ListThird Party Advisory
- https://plugins.trac.wordpress.org/browser/wpdiscuz/tags/5.3.6Third Party Advisory
- https://plugins.trac.wordpress.org/changeset/2323200Third Party Advisory
- https://wordpress.org/plugins/wpdiscuz/#developersRelease NotesThird Party Advisory
- https://wpdiscuz.com/community/news/security-vulnerability-issue-in-5-3-5-pleasePatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2020/07/06/1ExploitMailing ListThird Party Advisory
- https://plugins.trac.wordpress.org/browser/wpdiscuz/tags/5.3.6Third Party Advisory
- https://plugins.trac.wordpress.org/changeset/2323200Third Party Advisory
- https://wordpress.org/plugins/wpdiscuz/#developersRelease NotesThird Party Advisory
- https://wpdiscuz.com/community/news/security-vulnerability-issue-in-5-3-5-pleasePatchVendor Advisory
FAQ
What is CVE-2020-13640?
CVE-2020-13640 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request...
How severe is CVE-2020-13640?
CVE-2020-13640 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-13640?
Check the references section above for vendor advisories and patch information. Affected products include: Gvectors Wpdiscuz.