WordPress Plugin Vulnerabilities

404 Solution < 2.35.8 - Admin+ SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins.

Proof of Concept

1. navigate to logs "https://example.com/wp-admin/options-general.php?page=abj404_solution&subpage=abj404_logs".
2.Click on any function like date to sort result. Observe request and response.
3. Add payload in order parameter. Payload "%2c(select*from(select(sleep(20)))a)".
4.Observe payload executed successfully

Affects Plugins

Plugin icon
404-solution
Fixed in 2.35.8

References

CVE
CVE-2024-1068

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher
Sumit Patel
Submitter
Sumit Patel
Submitter website
https://www.linkedin.com/in/ipatelsumit/
Verified
Yes
WPVDB ID
25e3c1a1-3c45-41df-ae50-0e20d86c5484

Timeline

Publicly Published
2024-02-17 (about 2 months ago)
Added
2024-02-17 (about 2 months ago)
Last Updated
2024-02-17 (about 2 months ago)

Other

Published
Title
Published
2023-01-23
Title
WP Google Review Slider < 11.8 - Subscriber+ SQLi
Published
2023-05-22
Title
SupportCandy < 3.1.7 - Subscriber+ SQLi
Published
2021-06-16
Title
Filebird 4.7.3 - Unauthenticated SQL Injection
Published
2024-04-03
Title
REHub Framework < 19.6.2 - Authenticated (Subscriber+) SQL Injection
Published
2023-07-24
Title
WordPress Database Administrator <= 1.0.3 - Unauthenticated SQL Injection