CVE-2019-10692

high-risk
Published 2019-04-02

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

Do I need to act?

!
88.8% chance of exploitation in next 30 days
EPSS score — higher than 11% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Wp Go Maps

Affected Vendors

Codecabin

References (8)

Exploit http://packetstormsecurity.com/files/159640/WordPress-Rest-Google-Maps-SQL-Injec...
Exploit http://www.rapid7.com/db/modules/auxiliary/admin/http/wp_google_maps_sqli
Patch https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-google-maps&old=2061...
Third Party Advisory https://wordpress.org/plugins/wp-google-maps/#developers
Exploit http://packetstormsecurity.com/files/159640/WordPress-Rest-Google-Maps-SQL-Injec...
Exploit http://www.rapid7.com/db/modules/auxiliary/admin/http/wp_google_maps_sqli
Patch https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-google-maps&old=2061...
Third Party Advisory https://wordpress.org/plugins/wp-google-maps/#developers
57
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal