CVE-2008-0845 in Dean Logan WP-People plugin
Summary
by MITRE
SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/20/2025
The CVE-2008-0845 vulnerability represents a critical sql injection flaw in the wp-people-popup.php script of the Dean Logan WP-People plugin version 1.6.1 for WordPress. This vulnerability falls under the common weakness enumeration CWE-89 which specifically addresses improper neutralization of special elements used in sql commands. The flaw exists due to inadequate input validation and sanitization of the person parameter, which is directly incorporated into sql query construction without proper escaping or parameterization mechanisms. Attackers can exploit this vulnerability by crafting malicious sql payloads through the person parameter, potentially gaining unauthorized access to the underlying database and executing arbitrary sql commands.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with elevated privileges within the wordpress environment. When exploited successfully, the vulnerability enables remote code execution capabilities that can lead to complete system compromise. The attack vector is particularly concerning because it requires no authentication and can be executed through standard web browser interactions, making it highly accessible to threat actors. The vulnerability affects all wordpress installations running the affected plugin version, creating a widespread attack surface that could be leveraged for data exfiltration, privilege escalation, or even backdoor installation. According to the ATT&CK framework, this vulnerability maps to T1190 - Exploit Public-Facing Application, where attackers target web applications to gain initial access to systems.
Mitigation strategies for CVE-2008-0845 should prioritize immediate plugin updates to versions that address the sql injection vulnerability, as the original affected version 1.6.1 is no longer supported. System administrators should implement input validation measures that sanitize all user-supplied data before processing, particularly focusing on sql injection prevention techniques such as prepared statements and parameterized queries. Network-level defenses including web application firewalls and intrusion detection systems can provide additional protection layers by monitoring for suspicious sql patterns in web traffic. Security monitoring should include regular vulnerability scanning of wordpress installations to identify outdated plugins and themes that may contain similar vulnerabilities. The remediation process must also involve comprehensive database access controls and regular security audits to ensure that no unauthorized modifications have occurred. Organizations should establish robust patch management procedures to quickly address similar vulnerabilities when they are discovered in their wordpress environments, as the lack of proper input sanitization represents a fundamental security flaw that could be exploited by automated scanning tools.