← back
CVE-2018-25434

WP AutoSuggest 0.24 SQL Injection via autosuggest.php

CVSS 8.8 HIGHEPSS 0.3%CWE-89
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
eliekhoury · WP AutoSuggest
public PoCs found1
cve_referencewww.exploit-db.com/exploits/45977unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://kaimi.iohttps://wordpress.org/plugins/wp-autosuggest/https://www.exploit-db.com/exploits/45977https://www.vulncheck.com/advisories/wp-autosuggest-sql-injection-via-autosuggest-php