SQL injection in iThemes Security - CVE-2018-12636
Published: June 26, 2018 / Updated: July 29, 2021
Vulnerability identifier: #VU13496
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-12636
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: iThemes
Affected software:
iThemes Security
iThemes Security
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The vulnerability exists due to insufficient sanitization of user-supplied data in "orderby" parameter on the "itsec-logs" page. A remote authenticated administrator can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
How to mitigate CVE-2018-12636
Install update from vendor's website.