← back
CVE-2017-20246

KittyCatfish 2.2 Plugin for WordPress SQL Injection

CVSS 8.8 HIGHEPSS 0.3%CWE-89
KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can inject SQL code through the 'kc_ad' parameter in base.css.php or kittycatfish.php to extract sensitive database information using boolean-based blind or time-based blind techniques.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
Missilesilo · KittyCatfish
public PoCs found1
cve_referencewww.exploit-db.com/exploits/41919unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://tad.grouphttps://wordpress.org/plugins-wp/kittycatfish/https://www.exploit-db.com/exploits/41919https://www.vulncheck.com/advisories/kittycatfish-plugin-for-wordpress-sql-injection