CVE-2015-2292 in WordPress SEO
Summary
by MITRE
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2025
The vulnerability CVE-2015-2292 represents a critical SQL injection flaw in the WordPress SEO by Yoast plugin, affecting versions prior to specific patches. This vulnerability resides within the admin/class-bulk-editor-list-table.php file and specifically targets the wpseo_bulk-editor page handler in the WordPress admin interface. The flaw allows authenticated users with sufficient privileges to manipulate database queries through malicious input parameters, creating a pathway for arbitrary SQL command execution that could compromise the entire WordPress installation.
The technical implementation of this vulnerability stems from improper input sanitization within the plugin's administrative interface. Attackers can exploit the order_by and order parameters through the wp-admin/admin.php endpoint to inject malicious SQL payloads. These parameters are directly incorporated into database queries without adequate validation or escaping mechanisms, making them prime targets for SQL injection attacks. The vulnerability's exploitation requires an authenticated user account, typically with administrator or editor privileges, though the described CSRF vector could potentially extend this threat to unauthenticated attackers who can trick users into executing malicious requests.
The operational impact of CVE-2015-2292 extends beyond simple data theft or modification. Successful exploitation could enable attackers to extract sensitive information from the WordPress database, modify user accounts, inject malicious content, or even escalate privileges within the WordPress environment. The vulnerability's presence in a widely used SEO plugin means that compromised sites could experience widespread data breaches, loss of user trust, and potential full system compromise. The fact that this vulnerability can be leveraged through CSRF attacks significantly increases its threat surface, as attackers can potentially exploit it without direct user interaction beyond initial access.
Security professionals should note this vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws in software systems. The ATT&CK framework categorizes this as a database access technique where adversaries exploit application vulnerabilities to gain unauthorized access to backend databases. Organizations should implement immediate patch management procedures to upgrade to versions 1.5.7, 1.6.4, or 1.7.4, respectively, depending on their current plugin version. Additional mitigations include implementing proper input validation, using prepared statements for database queries, and monitoring for unusual administrative activities that might indicate exploitation attempts. The vulnerability serves as a reminder of the critical importance of securing WordPress plugin ecosystems, where third-party components often become attack vectors due to insufficient security testing and validation.