WordPress Plugin Vulnerabilities

AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection

Description

The plugin does not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections.

Proof of Concept

Affects Plugins

Plugin icon
accesspress-social-icons
Fixed in 1.8.1

References

CVE
CVE-2021-24143
Exploitdb
49115
URL
https://plugins.trac.wordpress.org/changeset/2409015/accesspress-social-icons/trunk/inc/frontend/shortcode.php?old=2139884

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
Submitter
khanh
Submitter website
http://research.sun-asterisk.com/
Verified
Yes
WPVDB ID
02c5e10c-1ac7-447e-8ae5-b6d251be750b

Timeline

Publicly Published
2020-11-02 (about 5 years ago)
Added
2020-11-02 (about 5 years ago)
Last Updated
2021-01-22 (about 4 years ago)

Other

Published
Title
Published
2024-01-05
Title
WP ERP < 1.12.9 - Authenticated (Accounting manager+) SQL Injection
Published
2025-01-07
Title
Mailing Group Listserv < 3.0.0 - Admin+ SQL Injection
Published
2025-06-03
Title
WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates < 2.9.7 - Unauthenticated SQL Injection
Published
2023-02-27
Title
Paid Memberships Pro < 2.9.12 - Subscriber+ SQL Injection
Published
2014-09-27
Title
Quartz Plugin 1.01.1 - SQL Injection