CVE-2019-14230
Description
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Viral Quiz Maker - OnionBuzz plugindescription
- Range: <1.2.7
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization on the `id` parameter in the `set_count` AJAX nopriv handler allows SQL injection in the `saveQuestionVote` function."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/wp-admin/admin-ajax.php` with `type=set_count` and `action=ob_question_votes`, injecting SQL into the `id` parameter [ref_id=1][ref_id=2]. The lack of sanitization on the `id` argument before it is used in a SQL query in `saveQuestionVote` allows the attacker to execute arbitrary SQL commands, potentially leading to remote code execution and information disclosure [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in the `set_count` AJAX nopriv handler, specifically in the `saveQuestionVote` function. The `id` parameter is passed unsanitized into a SQL query [ref_id=1][ref_id=2].
What the fix does
The advisory states the issue was fixed in version 1.2.7 of the plugin [ref_id=1][ref_id=2]. No patch diff is provided in the bundle, but the fix presumably adds proper sanitization or parameterized queries for the `id` parameter in the `set_count` handler's `saveQuestionVote` function to prevent SQL injection.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the WordPress site.
- authNo authentication or privilege is required; the AJAX nopriv handler is accessible to unauthenticated users.
- configThe vulnerable plugin version must be prior to 1.2.7.
- inputThe attacker must supply a malicious SQL payload in the 'id' POST parameter.
Reproduction
Send a POST request to the WordPress site's admin-ajax.php endpoint with the `type=set_count` query parameter and the body `action=ob_question_votes&id=1 or sleep(10);#`. For example: `curl http://site/wp-admin/admin-ajax.php?type=set_count --data "action=ob_question_votes&id=1 or sleep(10);#"` [ref_id=1][ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.openwall.com/lists/oss-security/2019/07/23/1mitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2019/07/21/1mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.