Vulnerability Details : CVE-2014-8336
Potential exploit
The "Sql Run Query" panel in WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote attackers to read arbitrary files by leveraging failure to sufficiently limit queries, as demonstrated by use of LOAD_FILE in an INSERT statement.
Vulnerability category: Input validation
Products affected by CVE-2014-8336
- cpe:2.3:a:wp-dbmanager_project:wp-dbmanager:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8336
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8336
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2014-8336
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8336
-
http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-dbmanager-2.7.1/index.html
wp-dbmanager.php command injectionExploit;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2014/10/21/3
oss-security - Re: Vulnerabilities in WordPress Database Manager v2.7.1Issue Tracking;Mailing List;Patch;Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/97694
Database Manager plugin for WordPress Sql Run Query File Download CVE-2014-8336 Vulnerability ReportIssue Tracking;Third Party Advisory;VDB Entry
-
https://github.com/lesterchan/wp-dbmanager/commit/7037fa8f61644098044379190d1d4bf1883b8e4a
Uses escapeshellcmd() and do not allow LOAD_FILE inside queries · lesterchan/wp-dbmanager@7037fa8 · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://wordpress.org/plugins/wp-dbmanager/#developers
WP-DBManager – WordPress plugin | WordPress.orgThird Party Advisory
Jump to