CVE-2015-10124: 
WordPress vulnerability analysis and mitigation

A critical SQL injection vulnerability was discovered in the Most Popular Posts Widget Plugin up to version 0.8 on WordPress. The vulnerability affects the add_views/show_views functions in the functions.php file. The issue was discovered on February 2, 2015, and was assigned CVE-2015-10124. The vulnerability allows remote attackers to manipulate SQL queries through the plugin's functionality (NVD).

The vulnerability exists in the functions.php file, specifically in the add_views and show_views functions. The affected code fails to properly sanitize SQL queries, allowing for SQL injection attacks. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation with no privileges or user interaction required (NVD).

The vulnerability allows attackers to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized access to sensitive data, modification of database contents, or complete compromise of the WordPress installation (NVD).

The vulnerability was patched in version 0.9 of the Most Popular Posts Widget Plugin. The fix includes proper SQL query sanitization and code cleanup, as identified in commit a99667d11ac8d320006909387b100e9a8b5c12e1. Users are strongly recommended to upgrade to version 0.9 or later to address this security issue (GitHub Patch).