Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 11:20:11 +0200
From: "Hannes Trunde" <>
To: <>
Cc: <>
Subject: AW: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1

> > 3) WP Symposium plugin SQL injection vulnerability 
> > Affected version: 15.1 (and likely all versions below) 
> > Fixed version: Not yet available, author is working on a fix 
> > Plugin URL:  (still disabled
by team)
> Is this different from
> ? We feel that we may not have definitive information about whether that
SQL injection was ever fixed. The
> page no longer exists with its 2014 content, but had previously only
mentioned fixing XSS, not fixing SQL injection.


it's definitely a different vulnerability, as CVE-2014-8810 regards a SQL
injection vulnerability in ajax/mail_functions.php whereas the problem I
discovered exists in a forum function. I received the following notification
from the plugin author:

> From: Simon (WPS) [] 
> Sent: Wednesday, 15. April 2015 09:54
> To: Hannes Trunde
> Subject: Re: AW: SQL Injection Vulnerability in WP Symposium
> Thanks Hannes, I've implemented the fix in the code and will be looking to
get it uploaded to the WordPress repo later today.
> Kind regards
> Simon

I will post the changelog link and details of the vulnerability as soon as
the plugin page is online again.

By the way - what would be the best way to publish the vulnerability
details? A reply to this thread or posting it to Exploit-DB, Packet Storm or
other mailing lists like Fulldisc or Bugtraq? Any best practices?

Thank you very much!

Hannes Trunde

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ