Login Sign Up

CVE-2015-1000003

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to perform blind SQL injection attacks through the filedownload v1.4 WordPress plugin. Attackers can extract database information, modify data, or potentially gain administrative access to affected WordPress sites. Any WordPress site using the vulnerable plugin version is affected.

💻 Affected Systems

Products:
  • WordPress filedownload plugin
Versions: v1.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the filedownload plugin v1.4 installed and activated.

📦 What is this software?

Filedownload by Filedownload Project

View all CVEs affecting Filedownload →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the WordPress database, including extraction of sensitive user data, administrative credential theft, and full site takeover.

🟠

Likely Case

Data exfiltration from the WordPress database, including user information, posts, and potentially authentication credentials.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and input validation is enforced elsewhere.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Blind SQL injection requires more requests than traditional SQLi but automated tools exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.5 or later

Vendor Advisory: http://www.vapidlabs.com/advisory.php?v=140

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Locate filedownload plugin. 4. Click 'Update Now' if update available. 5. If no update, deactivate and delete plugin, then install latest version from WordPress repository.

🔧 Temporary Workarounds

Immediate Plugin Deactivation

all

Temporarily disable the vulnerable plugin to prevent exploitation

wp plugin deactivate filedownload

Web Application Firewall Rule

linux

Block SQL injection patterns targeting filedownload endpoints

ModSecurity rule: SecRule ARGS "(?i:(union|select|insert|update|delete|drop|alter).*?)" "id:1000003,phase:2,deny,status:403,msg:'CVE-2015-1000003 filedownload SQLi attempt'

🧯 If You Can't Patch

  • Remove filedownload plugin completely and use alternative file download solutions
  • Implement strict input validation and parameterized queries in custom code

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for filedownload v1.4

Check Version:

wp plugin list --name=filedownload --field=version

Verify Fix Applied:

Verify plugin version is v1.5 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in WordPress debug logs
  • Unusual database queries from web server process
  • Multiple failed requests to filedownload endpoints

Network Indicators:

  • HTTP requests containing SQL keywords to /wp-content/plugins/filedownload/
  • Unusual outbound database connections from web server

SIEM Query:

source="web_server" AND (uri="*filedownload*" AND (query="*union*" OR query="*select*" OR query="*insert*"))

📊 Metadata

CVE ID: CVE-2015-1000003
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 6, 2016
Last Updated: April 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-1000003, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)