cbcvebase.
CVE-2015-6522
published 2015-08-19

CVE-2015-6522: SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.13%
99.4th percentile
SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpsymposiumwp_symposium<= 15.7

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/wp-symposium/get_album_item.php
url/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--
  • Monitor HTTP requests targeting /wp-content/plugins/wp-symposium/get_album_item.php with a non-integer or SQL-laden 'size' parameter, which is the injection point for this unauthenticated SQLi.
  • The vulnerability is unauthenticated — no session or login cookie is required. Any GET request to get_album_item.php with a manipulated size parameter should be treated as suspicious.
  • The Metasploit auxiliary module wp_symposium_sql_injection targets credential extraction via this endpoint; presence of this module's traffic patterns (automated sequential requests to get_album_item.php) indicates active exploitation.
  • ·The vulnerability affects WP Symposium plugin versions before 15.8 only. Version 15.8 (released 2015-08-07) contains the patch; ensure the installed version is confirmed before treating traffic as malicious.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.