Ajax Load More < 5.3.2 – Authenticated SQL Injection

Description

The Ajax Load More WordPress plugin was vulnerable to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test.

The attacker needs to be authenticated with the edit_theme_options capability, which only administrators have by default.

Proof of Concept

https://drive.google.com/open?id=14YFYBUdMhYu1vvZrCd9QAhyZQv5rAwdm
https://asciinema.org/a/LRCzXVCkKrVlIkuLXNIKUQdhI

Affects Plugins

ajax-load-more

Fixed in 5.3.2

References

CVE

CVE-2021-24140

Exploitdb

48475

URL

https://plugins.trac.wordpress.org/changeset/2308007

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

9.0 (critical)

Miscellaneous

Original Researcher

Nguyen Khanh

Submitter

khanh

Verified

WPVDB ID

1876312e-3dba-4909-97a5-afbb76fbc056

Timeline

Publicly Published

2020-05-18 (about 3 years ago)

Added

2020-05-18 (about 3 years ago)

Last Updated

2021-01-21 (about 2 years ago)

Other

Published

Title

Published

2021-10-18

Title

Email Log < 2.4.7 - Admin+ SQL Injection

Published

2014-08-01

Title

Oqey Headers <= 0.3 - SQL Injection

Published

2014-08-01

Title

Collision Testimonials <= 3.0 - SQL Injection

Published

2014-08-01

Title

Super CAPTCHA <= 2.2.4 - SQL Injection

Published

2020-11-25

Title

WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection