Ajax Load More < 5.3.2 – Authenticated SQL Injection | CVE 2021-24140

Description

The Ajax Load More WordPress plugin was vulnerable to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test.

The attacker needs to be authenticated with the edit_theme_options capability, which only administrators have by default.

Proof of Concept

https://drive.google.com/open?id=14YFYBUdMhYu1vvZrCd9QAhyZQv5rAwdm
https://asciinema.org/a/LRCzXVCkKrVlIkuLXNIKUQdhI

Affects Plugins

ajax-load-more

Fixed in 5.3.2

References

CVE

CVE-2021-24140

Exploitdb

48475

URL

https://plugins.trac.wordpress.org/changeset/2308007

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

9.0 (critical)

Miscellaneous

Original Researcher

Nguyen Khanh

Submitter

khanh

Verified

WPVDB ID

1876312e-3dba-4909-97a5-afbb76fbc056

Timeline

Publicly Published

2020-05-18 (about 3 years ago)

Added

2020-05-18 (about 3 years ago)

Last Updated

2021-01-21 (about 3 years ago)

Other

Published

Title

Published

2021-11-08

Title

WP Data Access < 5.0.0 - Admin+ SQL Injection

Published

2023-10-30

Title

WP fade in text news < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode

Published

2024-03-28

Title

WP ERP < 1.30.0 - Authenticated (Accounting Manager+) SQL Injection via id

Published

2014-11-25

Title

Google Document Embedder <= 2.5.14 - SQL Injection

Published

2022-05-02

Title

WP Contacts Manager <= 2.2.4 - Unauthenticated SQLi