Themes Vulnerabilities

Goto < 2.1 - Unauthenticated Blind SQL Injection

Description

The theme did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue

Proof of Concept

Affects Themes

goto
Fixed in 2.1

References

CVE
CVE-2021-24314
URL
https://m0ze.ru/vulnerability/%5B2021-03-24%5D-%5BWordPress%5D-%5BCWE-89%5D-Goto-WordPress-Theme-v2.0.txt

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
m0ze
Verified
No
WPVDB ID
1cc6dc17-b019-49dd-8149-c8bba165eb30

Timeline

Publicly Published
2021-04-26 (about 4 years ago)
Added
2021-04-29 (about 4 years ago)
Last Updated
2021-05-17 (about 4 years ago)

Other

Published
Title
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Admin+ SQL Injection
Published
2014-08-01
Title
NOSpamPTI 2.1 - wp-comments-post.php comment_post_ID Parameter SQL Injection
Published
2019-04-02
Title
WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
Published
2021-09-02
Title
Meow Gallery < 4.1.9 - Contributor+ SQL Injection
Published
2025-04-07
Title
WP-Recall < 16.26.12 - Admin+ Stored XSS