CVE-2016-1000217
9.811.40%
Zotpress SQLi: When Citations Become Remote Execution
Alon Barad
Software EngineerJan 6, 2026·6 min read·3 visits
Weaponized
Executive Summary (TL;DR)
Zotpress versions prior to 6.1.3 fail to sanitize the 'api_user_id' parameter in AJAX requests. This allows any unauthenticated visitor to inject SQL commands directly into the WordPress database. Attackers can dump administrator credentials, modify content, or gain remote code execution capabilities. The fix involves wrapping the query in WordPress's prepared statements.
A critical SQL Injection vulnerability in the Zotpress WordPress plugin allows unauthenticated attackers to execute arbitrary SQL commands via the 'api_user_id' parameter, potentially leading to full site compromise.
Fix Analysis (1)
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
11.40%
Top 7% most exploited
Affected Systems
Zotpress Plugin for WordPress < 6.1.3WordPress sites using Zotpress for citation management
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Zotpress Katie Seaborn | < 6.1.3 | 6.1.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-89 (SQL Injection) |
| Attack Vector | Network (Remote) |
| CVSS v3.0 | 9.8 (Critical) |
| EPSS Score | 0.11 (11.4%) |
| Privileges Required | None |
| Exploit Status | Functional PoC / Automated |
MITRE ATT&CK Mapping
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability Published
2016-10-06
Patch (v6.1.3) Released
2016-10-06
Exploit details surfaced on ExploitDB
2016-10-10