Security readout for executives and security teams
Plain-English summary
A WordPress plugin called Easy Testimonial Slider and Form (versions 1.0.2 and earlier) has a flaw that lets a logged-in administrator manipulate database queries to read sensitive data. Because exploitation requires existing admin access, the practical risk is limited, but compromised or malicious admin accounts could use it to extract information.
Executive priority
Lower-tier priority for most organizations: a real flaw, but exploitation requires an attacker who already holds admin access. Treat as routine plugin hygiene unless the affected site handles sensitive data or shares admin credentials broadly, in which case accelerate removal or replacement.
Technical view
The plugin fails to properly escape and prepare the 'id' parameter, enabling SQL injection (CWE-89) into existing queries. CVSS 3.1 base score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact but requiring high privileges. An authenticated attacker at Administrator level or above can append SQL to extract database contents.
Likely exposure
WordPress sites running the Easy Testimonial Slider and Form plugin (vendor nik00726) at version 1.0.2 or earlier. Exposure is limited to environments where untrusted or potentially compromised users hold Administrator privileges, or where admin credentials could be stolen via phishing or reuse.
Exploitation context
Not listed in CISA KEV. The provided sources do not cite active exploitation in the wild. Exploitation requires Administrator-level authentication, which significantly raises the bar. Wordfence threat intelligence catalogs the issue but no public exploit campaign is referenced in the bundle.
Researcher notes
CWE-89 SQL injection via 'id' parameter; PR:H per CVSS vector limits attack surface. No KEV entry, no cited PoC in bundle. Affected entry lists versions ["0"] with defaultStatus "unaffected" — interpret cautiously and rely on the description's stated range "<= 1.0.2". Verify fix availability directly with vendor/WordPress.org before declaring remediated.
Mitigation direction
- Inventory WordPress sites for the Easy Testimonial Slider and Form plugin and identify version 1.0.2 or earlier.
- Check the WordPress.org plugin page and Wordfence advisory for vendor-supplied updates or guidance.
- If no fixed version is available, deactivate and remove the plugin until vendor remediation is confirmed.
- Restrict and audit Administrator accounts; enforce MFA and strong, unique credentials.
- Apply WAF rules from Wordfence or equivalent to monitor suspicious admin-area parameter activity.
Validation and detection
- Enumerate plugin presence and version via WordPress admin or wp-cli plugin list.
- Cross-reference detected versions against the Wordfence advisory entry for this CVE.
- Review admin user list for unexpected or stale accounts and recent privilege changes.
- Inspect web and database logs for unusual queries originating from admin-authenticated sessions.
- Confirm absence (or presence) of a vendor patch on the WordPress.org plugin listing.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupDatabase behavior lookup
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2015-10147 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 4.9 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N1.23.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
4.9MediumVector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Source materials
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
