WordPress Plugin Vulnerabilities

GWA AutoResponder <= 2.3 - Unauthenticated SQL Injection

Description

The plugin does not validate and escape the listid before using it in SQL statements, leading to SQL Injections which can be exploited by unauthenticated users

Affects Plugins

Plugin icon
gwa-autoresponder
No known fix

References

CVE
CVE-2021-44779

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Lenon Leite
Verified
Yes
WPVDB ID
0b0456b0-7692-44d1-ba0c-245be55e3a31

Timeline

Publicly Published
2022-01-27 (about 4 years ago)
Added
2022-02-08 (about 4 years ago)
Last Updated
2022-04-11 (about 4 years ago)

Other

Published
Title
Published
2014-08-01
Title
SCORM Cloud < 1.0.7 - SQL Injection
Published
2026-01-28
Title
Bit Form < 2.21.11 - Authenticated (Administrator+) SQL Injection
Published
2024-01-08
Title
Barcode Scanner with Inventory & Order Manager < 1.5.2 - Unauthenticated SQL Injection via userToken
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Author+ SQL Injection
Published
2024-10-31
Title
Quran Shortcode <= 1.5 - Authenticated (Contributor+) SQL Injection