cbcvebase.
CVE-2015-2065
published 2015-02-24

CVE-2015-2065: SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress allows remote…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
41.07%
98.5th percentile
SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the vid parameter in a rss action to wp-admin/admin-ajax.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
appthawordpress_video_gallery<= 2.7

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=rss&type=video&vid=
path/wp-admin/admin-ajax.php
filenamevideogalleryrss.php
  • Detect unauthenticated GET requests to /wp-admin/admin-ajax.php with action=rss and a vid parameter containing SQL injection payloads (UNION-based injection).
  • Google dork 'inurl:/wp-admin/admin-ajax.php?action=rss' can be used to identify exposed vulnerable WordPress instances; monitor for this pattern in web server logs.
  • The vulnerable parameter is 'vid' in a GET request with action=rss and type=video to admin-ajax.php; alert on non-integer values in the vid parameter.
  • ·The vulnerability is fixed by enforcing integer casting on the vid parameter; patched in plugin version 2.8. Versions 2.7 and prior are vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.