Attacker Value
Very Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2020-11530

Disclosure Date: May 08, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.

Add Assessment

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    High
Technical Analysis

Blind SQLi in Chop Slider 3 by iDangero.us. The true value of this exploit is low, simply because the company stopped supporting the plugin several years before the exploit was discovered. Most users had therefore moved away from the plug-in before disclosure.

The iDangero.us Chop Slider 3 WordPress plugin prior to version 3.4 contains a blind SQL injection in the id parameter of the get_sript/index.php page. The injection is passed through GET parameters, and thus must be encoded, and magic_quotes is applied at the server.

Exploitable in default config, a valid id is not required.

https://github.com/rapid7/metasploit-framework/pull/14576

General Information

Technical Analysis