WordPress Plugin Vulnerabilities

Wow Countdowns <= 3.1.2 - Admin+ SQLi

Description

The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection.

Proof of Concept

Affects Plugins

Plugin icon
mwp-countdown
No known fix

References

CVE
CVE-2021-25064

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
0xdecafbad
Submitter website
http://vuln.farm
Verified
Yes
WPVDB ID
30c70315-3c17-41f0-a12f-7e3f793e259c

Timeline

Publicly Published
2022-03-07 (about 3 years ago)
Added
2022-03-07 (about 3 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2022-06-16
Title
Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQLi
Published
2024-04-12
Title
Disable Comments | WPZest <= 1.51 - Authenticated (Administrator+) SQL Injection
Published
2025-02-17
Title
Simple Signup Form <= 1.6.5 - Authenticated (Contributor+) SQL Injection
Published
2023-12-27
Title
WebinarIgnition < 3.05.1 - Unauthenticated SQL Injection
Published
2014-08-01
Title
Malmonation - debate.php id Parameter SQL Injection