CVE-2017-20245

Deferred Deferred - Pending Action

SQL Injection in Wow Viral Signups WordPress Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parameter. Attackers can send crafted requests to the admin-ajax.php endpoint with malicious SQL payloads in the 'idsignup' parameter to read arbitrary data from the database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-09

Generated

2026-06-09

AI Q&A

2026-06-09

EPSS Evaluated

N/A

NVD

CVE-2017-20245

EUVD

EUVD-2017-18971

Affected Vendors & Products

Vendor	Product	Version / Range
wow-company	wow_viral_signups	to 2.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

The Wow Viral Signups 2.1 WordPress plugin contains a high-severity SQL injection vulnerability. This flaw arises because the 'idsignup' POST parameter is not properly escaped, allowing unauthenticated attackers to send malicious SQL payloads to the admin-ajax.php endpoint.

By exploiting this vulnerability, attackers can extract sensitive and arbitrary data from the plugin's database, potentially compromising the confidentiality of stored information.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can read arbitrary data from the database without any authentication.

If the web server is misconfigured, attackers might also gain read and write access to the filesystem, increasing the risk of further compromise.

Overall, this can lead to data breaches, loss of data confidentiality, and potential damage to the integrity of your system.

Detection Guidance

This SQL injection vulnerability can be detected by monitoring for suspicious POST requests to the admin-ajax.php endpoint containing the 'idsignup' parameter with potentially malicious SQL payloads.

Security tools like sqlmap can be used to test the vulnerability by targeting the 'idsignup' POST parameter to check for SQL injection flaws.

Use sqlmap with a command similar to: sqlmap -u "http://targetsite.com/wp-admin/admin-ajax.php" --data="idsignup=1" -p idsignup --technique=BT
Monitor web server logs for unusual POST requests to admin-ajax.php containing suspicious SQL keywords or payloads in the 'idsignup' parameter.

Mitigation Strategies

Immediate mitigation steps include disabling or removing the Wow Viral Signups 2.1 WordPress plugin, as it is no longer maintained and contains a critical SQL injection vulnerability.

Restrict access to the admin-ajax.php endpoint to trusted users or IP addresses to reduce exposure.

Implement web application firewall (WAF) rules to block malicious requests targeting the 'idsignup' parameter.

Monitor and audit logs for exploitation attempts and consider applying general SQL injection protections in your environment.

Compliance Impact

The SQL injection vulnerability in the Wow Viral Signups 2.1 WordPress plugin allows unauthenticated attackers to extract sensitive database information by exploiting an unescaped POST parameter. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

Specifically, unauthorized data extraction due to this vulnerability could result in breaches of confidentiality and data integrity, potentially violating regulatory requirements for safeguarding personal data and reporting breaches.

Hi! I’m here to help you understand CVE-2017-20245. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20245

SQL Injection in Wow Viral Signups WordPress Plugin

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart