CVE-2020-14092
published 2020-07-02CVE-2020-14092: The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection.
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
94.53%
99.8th percentile
The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ithemes | paypal_pro | < 1.1.65 | 1.1.65 |
Detection & IOCsextracted from sources · hover to see the quote
path/?cffaction=get_data_from_database
othercffaction=get_data_from_database
snort
ET EXPLOIT Paypal Pro [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)"; flow:established,to_server; http.uri; content:"/?cffaction=get_data_from_database"; nocase; fast_pattern; content:"query="; pcre:"/^[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,wpscan.com/vulnerability/10287; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-14092; classtype:attempted-admin; sid:2033642; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_02;)
- →Exploit requests use HTTP GET to the path `/?cffaction=get_data_from_database` with a `query=` parameter containing raw SQL. Match both URI components together to reduce false positives.
- →A successful exploitation response (HTTP 200, Content-Type: text/html) will contain the strings `user_login`, `user_email`, `user_pass`, and `user_activation_key` in the body — indicating wp_users table data was dumped in JSON format.
- →The Emerging Threats Snort rule (sid:2033642) uses a PCRE to detect common SQL keywords (SELECT, UNION, UPDATE, DELETE, INSERT, SHOW, EXEC, comments) in the `query=` parameter of the exploit URI, covering a broad range of SQLi payloads beyond the PoC.
- →The vulnerability is unauthenticated — no session cookie or authentication header is required. Any request to the exploit path from an unauthenticated source should be treated as high-confidence malicious activity.
- ·The Snort rule requires SSL/TLS decryption to be effective against HTTPS traffic, as indicated by the `deployment SSLDecrypt` metadata tag.
- ·The Nuclei template matcher requires ALL four body strings (`user_login`, `user_email`, `user_pass`, `user_activation_key`) to be present simultaneously (condition: and), meaning partial SQL dumps or error responses will not trigger the match.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)
suricata·2021-08-02·CVSS 9.8
CVE-2020-14092 [CRITICAL] ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)
ET EXPLOIT Paypal Pro [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)"; flow:established,to_server; http.uri; content:"/?cffaction=get_data_from_database"; nocase; fast_pattern; content:"query="; pcre:"/^[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,wpscan.com/vulnerability/10287; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-14092; classtype:attempted-admin; sid:2033642; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_
Exploit-DB
Cayin Content Management Server 11.0 - Remote Command Injection (root)
exploitdb·2020-06-04
Cayin Content Management Server 11.0 - Remote Command Injection (root)
Cayin Content Management Server 11.0 - Remote Command Injection (root)
---
# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root)
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
Cayin Content Management Server 11.0 Root Remote Command Injection
Vendor: CAYIN Technology Co., Ltd.
Product web page: https://www.cayintech.com
Affected version: CMS-SE v11.0 Build 19179
CMS-SE v11.0 Build 19025
CMS-SE v11.0 Build 18325
CMS Station (CMS-SE-LXC)
CMS-60 v11.0 Build 19025
CMS-40 v9.0 Build 14197
CMS-40 v9.0 Build 14099
CMS-40 v9.0 Build 14093
CMS-20 v9.0 Build 14197
CMS-20 v9.0 Build 14092
CMS v8.2 Build 12199
CMS v8.0 Build 11175
CMS v7.5 Build 11175
Summary: CAYIN Technology provides Digital Signage
solutions, including media play
Exploit-DB
Cayin Signage Media Player 3.0 - Remote Command Injection (root)
exploitdb·2020-06-04
Cayin Signage Media Player 3.0 - Remote Command Injection (root)
Cayin Signage Media Player 3.0 - Remote Command Injection (root)
---
# Title: Cayin Signage Media Player 3.0 - Remote Command Injection (root)
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
#!/usr/bin/env python3
#
#
# Cayin Signage Media Player 3.0 Root Remote Command Injection
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: SMP-8000QD v3.0
# SMP-8000 v3.0
# SMP-6000 v3.0 Build 19025
# SMP-6000 v1.0 Build 14246
# SMP-6000 v1.0 Build 14199
# SMP-6000 v1.0 Build 14167
# SMP-6000 v1.0 Build 14097
# SMP-6000 v1.0 Build 14090
# SMP-6000 v1.0 Build 14069
# SMP-6000 v1.0 Build 14062
# SMP-4000 v1.0 Build 14098
# SMP-4000 v1.0 Build 14092
# SMP-4000 v1.0 Build 14087
# SMP-2310 v3.0
# SMP-2300 v3.0
Nuclei
WordPress PayPal Pro <1.1.65 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-14092 [CRITICAL] WordPress PayPal Pro <1.1.65 - SQL Injection
WordPress PayPal Pro <1.1.65 - SQL Injection
WordPress PayPal Pro plugin before 1.1.65 is susceptible to SQL injection via the 'query' parameter which allows for any unauthenticated user to perform SQL queries with the results output to a web page in JSON format.
Template:
id: CVE-2020-14092
info:
name: WordPress PayPal Pro <1.1.65 - SQL Injection
author: princechaddha
severity: critical
description: WordPress PayPal Pro plugin before 1.1.65 is susceptible to SQL injection via the 'query' parameter which allows for any unauthenticated user to perform SQL queries with the results output to a web page in JSON format.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, o
https://wordpress.dwbooster.com/forms/payment-form-for-paypal-prohttps://wordpress.org/plugins/payment-form-for-paypal-pro/#developershttps://wpvulndb.com/vulnerabilities/10287https://wordpress.dwbooster.com/forms/payment-form-for-paypal-prohttps://wordpress.org/plugins/payment-form-for-paypal-pro/#developershttps://wpvulndb.com/vulnerabilities/10287
2020-07-02
Published