This can be exploited by attackers to run arbitrary SQL queries as high privileged users. WP user merger is used to reduce the amount of work needed to merge multiple WP user accounts into a single account. WP user merger should only be used with caution and always make sure to sanitize and escape input to prevent SQL injection attacks. This vulnerability was resolved in WP version 1.5.3 and later.

CVE-2023-3866

An attacker can exploit this vulnerability by calling the wp_login() function with a specially crafted login_url argument. This could allow the attacker to hijack an account.
The flaw was fixed in WP version 1.5.2 and later, but you should always update your installation to the latest version.

SQL Injection in WP

SQL injection is the injection of an SQL command into a database. This vulnerability can be exploited by attackers to run arbitrary SQL queries as high privileged users. WP user merger is used to reduce the amount of work needed to merge multiple WP user accounts into a single account and should only be used with caution and always make sure to sanitize and escape input to prevent SQL injection attacks. This vulnerability was resolved in WP version 1.5.3 and later.

SQL Injections in WP User Merger

CSRF attacks can be used to hijack users’ login credentials using a cross-site request forgery (CSRF) attack. SQL Injection vulnerabilities occur when user input is not properly sanitized and/or escaped before being used as an argument in a SQL query. These attacks allow attackers to run arbitrary SQL queries on the database server as high privileged users.
One way this vulnerability can be exploited is by creating a specially crafted query that includes user input that references other tables in the database. This allows the attacker to do anything from view sensitive information, change data, etc., depending on what is allowed in the database.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 12/02/2022 19:48:00 UTC

References