CVE-2014-1854 - Vulnerability Details - OpenCVE

SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Adrotateplugin	Adrotate

Configuration 1 [-]

OR	cpe:2.3:a:adrotateplugin:adrotate:3.9.::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.1::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.1::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.2::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.2::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.3::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.3::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.4::free::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.4::pro::wordpress:::*
	cpe:2.3:a:adrotateplugin:adrotate:3.9.5::pro::wordpress:::*

No data.

References

Link	Providers
http://secunia.com/advisories/57079
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5
http://www.exploit-db.com/exploits/31834
http://www.securityfocus.com/archive/1/531176/100/0/threaded
http://www.securityfocus.com/bid/65709
https://exchange.xforce.ibmcloud.com/vulnerabilities/91253
https://www.htbridge.com/advisory/HTB23201

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-02-27T15:00:00

Updated: 2024-08-06T09:58:15.640Z

Reserved: 2014-02-02T00:00:00

Link: CVE-2014-1854

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-02-27T15:55:15.623

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-1854

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-02-20T00:00:00", "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "adrotate-track-sql-injection(91253)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91253"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5"}, {"name": "20140220 SQL Injection in AdRotate", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/531176/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "https://www.htbridge.com/advisory/HTB23201"}, {"name": "65709", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65709"}, {"name": "31834", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/31834"}, {"name": "57079", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/57079"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1854", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "adrotate-track-sql-injection(91253)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91253"}, {"name": "http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5", "refsource": "CONFIRM", "url": "http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5"}, {"name": "20140220 SQL Injection in AdRotate", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/531176/100/0/threaded"}, {"name": "https://www.htbridge.com/advisory/HTB23201", "refsource": "MISC", "url": "https://www.htbridge.com/advisory/HTB23201"}, {"name": "65709", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65709"}, {"name": "31834", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/31834"}, {"name": "57079", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/57079"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:58:15.640Z"}, "title": "CVE Program Container", "references": [{"name": "adrotate-track-sql-injection(91253)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91253"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5"}, {"name": "20140220 SQL Injection in AdRotate", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/531176/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.htbridge.com/advisory/HTB23201"}, {"name": "65709", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65709"}, {"name": "31834", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/31834"}, {"name": "57079", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/57079"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1854", "datePublished": "2014-02-27T15:00:00", "dateReserved": "2014-02-02T00:00:00", "dateUpdated": "2024-08-06T09:58:15.640Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.:*:free:*:wordpress:*:*:*", "matchCriteriaId": "483C28A0-5F21-4E21-9F6F-6246C3C53709", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.:*:pro:*:wordpress:*:*:*", "matchCriteriaId": "C7DC846F-917F-47D0-BCA9-8A9EE7D97F65", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.1:*:free:*:wordpress:*:*:*", "matchCriteriaId": "B0076ED6-2B17-4D8E-9116-6BC79F2C671F", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.1:*:pro:*:wordpress:*:*:*", "matchCriteriaId": "16F83F5A-6ED6-4433-90BB-3F2C12E2B353", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.2:*:free:*:wordpress:*:*:*", "matchCriteriaId": "7FF95C58-4356-4DBC-8319-ECF56C46E209", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.2:*:pro:*:wordpress:*:*:*", "matchCriteriaId": "BC9A588B-CD08-4998-A38D-F8A399C7084B", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.3:*:free:*:wordpress:*:*:*", "matchCriteriaId": "D6D55167-F7D1-42C3-83EA-2DC5207D772E", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.3:*:pro:*:wordpress:*:*:*", "matchCriteriaId": "8B8EDFB6-F678-49C0-9AFF-C542E9FCE9BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.4:*:free:*:wordpress:*:*:*", "matchCriteriaId": "4CECF7E3-F473-4112-A4CC-46E768A7D069", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.4:*:pro:*:wordpress:*:*:*", "matchCriteriaId": "520DF6B5-55DD-49F1-A6FB-6B0A8C121617", "vulnerable": true}, {"criteria": "cpe:2.3:a:adrotateplugin:adrotate:3.9.5:*:pro:*:wordpress:*:*:*", "matchCriteriaId": "26813052-FE27-4D2B-AB07-12131A5957E5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en library/clicktracker.php en los plugins AdRotate Pro 3.9 hasta 3.9.5 y AdRotate Free 3.9 hasta 3.9.4 para WordPress permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro track."}], "id": "CVE-2014-1854", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-02-27T15:55:15.623", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/57079"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/31834"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/531176/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/65709"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91253"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.htbridge.com/advisory/HTB23201"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/57079"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/31834"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/531176/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/65709"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91253"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.htbridge.com/advisory/HTB23201"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}