CVE-2015-2314 Information

Description

SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed.

Reference

http://klikki.fi/adv/wpml.html http://packetstormsecurity.com/files/130810/WordPress-WPML-XSS-Deletion-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/71 http://wpml.org/2015/03/wpml-security-update-bug-and-fix/ http://www.osvdb.org/119541 http://www.securityfocus.com/archive/1/534862/100/0/threaded