Attacker Value
Very Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-11530

Disclosure Date: May 08, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.

Add Assessment

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    High
Technical Analysis

Blind SQLi in Chop Slider 3 by iDangero.us. The true value of this exploit is low, simply because the company stopped supporting the plugin several years before the exploit was discovered. Most users had therefore moved away from the plug-in before disclosure.

The iDangero.us Chop Slider 3 WordPress plugin prior to version 3.4 contains a blind SQL injection in the id parameter of the get_sript/index.php page. The injection is passed through GET parameters, and thus must be encoded, and magic_quotes is applied at the server.

Exploitable in default config, a valid id is not required.

https://github.com/rapid7/metasploit-framework/pull/14576

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • idangero

Products

  • chop slider 3.0
Technical Analysis