cbcvebase.
CVE-2015-9323
published 2019-08-16

CVE-2015-9323: The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
46.13%
98.7th percentile
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
duckdev404_to_301< 2.0.32.0.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target_ip>:<port><wp_path>wp-admin/admin.php?page=i4t3-logs&orderby=1
path/wp-admin/admin.php?page=i4t3-logs&orderby=1
commandsqlmap -u "http://<target>:<port><path>wp-admin/admin.php?page=i4t3-logs&orderby=1" --level 2 --risk 2 --cookie="<cookie>" -p orderby -v0
yara
404 to 301 =7' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "404-to-301")' condition: and # digest: 4a0a00473045022076e7faa4ba20bf8952193cd6e0a24aa75b384140e72da17212d837b5ca2c8908022100ad62c0634a90123d8334f413dce7744617ebd52c63e679f4eac976df5078e2f9:922c64590222798bb761d5b6d8e72950
  • The SQL injection parameter is `orderby` in the GET request to `/wp-admin/admin.php?page=i4t3-logs`. Monitor for anomalous or unsanitized values in this parameter.
  • Detect presence of the vulnerable plugin by checking HTTP responses for the string `404-to-301` in the body with content-type `text/html` and status code 200.
  • The exploit uses sqlmap with `--level 2 --risk 2` and targets the `-p orderby` parameter specifically; WAF/IDS rules should flag sqlmap fingerprints against this endpoint.
  • ·Exploitation is authenticated — an attacker must have valid WordPress credentials before triggering the SQL injection via the admin panel.
  • ·The vulnerability affects plugin versions <= 2.0.2; version 2.0.3 and above are patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.