CVE-2020-8596

participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy parameters. It is possible to exfiltrate data and potentially execute code (if certain conditions are met).
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
xnauparticipants_database
𝑥
≤ 1.9.5.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.impenetrable.tech/cve-2020-8596
https://wpvulndb.com/vulnerabilities/10068
https://blog.impenetrable.tech/cve-2020-8596
https://wpvulndb.com/vulnerabilities/10068