vendor:
Good LMS
by:
Abdulazeez Alaseeri
N/A
CVSS
CRITICAL
Unauthenticated SQL Injection
89
CWE
Product Name: Good LMS
Affected Version From: <= 2.1.4
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested: Linux
2020
WordPress Plugin Good LMS 2.1.4 – ‘id’ Unauthenticated SQL Injection
The vulnerability allows an attacker to perform an SQL injection attack in the Good Layers LMS Plugin version 2.1.4 or earlier. The vulnerable code is located in the file 'goodlayers-lms/include/lightbox-form.php' from line 682 to 701. The SQL injection occurs in the 'id' parameter of the SQL query. An attacker can manipulate the 'id' parameter to execute arbitrary SQL commands.
Mitigation:
To mitigate this vulnerability, it is recommended to update the Good Layers LMS Plugin to a version that is not affected by the SQL injection vulnerability. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.