WordPress Plugin Vulnerabilities

wpDataTables < 3.4.2 - Blind SQL Injection via length Parameter

Description

The plugin allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.

Note: This affect the premium version of the plugin, however, both the premium and free plugins have the same slug.

Affects Plugins

Plugin icon
wpdatatables
Fixed in 3.4.2

References

CVE
CVE-2021-24200
URL
https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/
URL
https://wpdatatables.com/help/whats-new-changelog/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Veno Eivazian, Massimiliano Ferraresi
Submitter
Veno Eivazian
Submitter website
https://n4nj0.github.io/
Verified
No
WPVDB ID
21aa7e18-0162-45bf-a5c6-ceee64ffa1f9

Timeline

Publicly Published
2021-03-16 (about 4 years ago)
Added
2021-03-25 (about 4 years ago)
Last Updated
2021-03-28 (about 4 years ago)

Other

Published
Title
Published
2024-12-14
Title
Mimoos <= 1.2 - Authenticated (Subscriber+) SQL Injection
Published
2024-03-29
Title
Easy Form Builder < 3.7.5 - Authenticated (Contributor+) SQL Injection
Published
2024-04-25
Title
WooCommerce Amazon Affiliates <= 14.0.33 - Subscriber+ SQL Injection
Published
2021-10-16
Title
Speed Booster Pack < 4.3.3.1 - Admin+ SQL Injection
Published
2024-10-31
Title
Woocommerce Quote Calculator <= 1.1 - Authenticated (Contributor+) SQL Injection