Login Sign Up

CVE-2015-10147

4.9 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the Easy Testimonial Slider and Form WordPress plugin allows authenticated attackers with Administrator privileges to execute arbitrary SQL queries. Attackers can extract sensitive data from the database, including user credentials and other confidential information. Only WordPress sites using vulnerable versions of this specific plugin are affected.

💻 Affected Systems

Products:
  • Easy Testimonial Slider and Form WordPress Plugin
Versions: All versions up to and including 1.0.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have Administrator-level WordPress access; vulnerability exists in default plugin configuration.

📦 What is this software?

Easy Testimonial Slider And Form by I13websolution

View all CVEs affecting Easy Testimonial Slider And Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.

🟠

Likely Case

Extraction of sensitive user data, admin credentials, and potentially other database contents by malicious administrators.

🟢

If Mitigated

Limited impact due to proper access controls and monitoring preventing unauthorized administrator access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated administrator access; SQL injection via 'id' parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0.2

Vendor Advisory: https://wordpress.org/plugins/easy-testimonial-rotator

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Easy Testimonial Slider and Form'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.

🔧 Temporary Workarounds

Remove vulnerable plugin

WordPress

Deactivate and delete the vulnerable plugin version

wp plugin deactivate easy-testimonial-rotator
wp plugin delete easy-testimonial-rotator

🧯 If You Can't Patch

  • Implement strict access controls to limit administrator accounts
  • Enable WordPress security plugins with SQL injection detection

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Easy Testimonial Slider and Form → Version number

Check Version:

wp plugin get easy-testimonial-rotator --field=version

Verify Fix Applied:

Confirm plugin version is higher than 1.0.2 or plugin is removed

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in WordPress/database logs
  • Multiple failed administrator login attempts followed by plugin access

Network Indicators:

  • Unusual database connection patterns from WordPress instance

SIEM Query:

source="wordpress.log" AND "easy-testimonial" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE")

📊 Metadata

CVE ID: CVE-2015-10147
CVSS v3 Score: 4.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
EPSS Score: 0.04% exploit probability (10.2th percentile)
Published: October 29, 2025
Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-10147, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)