WordPress Plugin Vulnerabilities

Mini Cart Plugin 1.00.1 - Authenticated SQL Injection

Description

$_REQUEST[item] is not escaped. Url is accessible for user collaborator above.

Url vulnerable : http://target/wp-admin/edit.php?page=mini-cart/item_form.php&item=0&action=edit

Proof of Concept

Affects Plugins

Plugin icon
mini-cart
No known fix

References

URL
https://lenonleite.com.br/en/2016/11/11/mini-cart-plugin-1-00-1-for-wordpress/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
Lenon Leite
Submitter website
http://lenonleite.com.br/
Submitter twitter
lenonleite
Verified
No
WPVDB ID
3951e854-27fc-4ae9-8707-7c326a81c7c3

Timeline

Publicly Published
2016-11-11 (about 9 years ago)
Added
2016-11-21 (about 9 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2014-08-01
Title
Comment Control 0.3.0 - comment-control.php type Parameter SQL Injection
Published
2026-04-27
Title
FunnelKit – Funnel Builder for WooCommerce Checkout < 3.15.0.2 - Unauthenticated SQL Injection
Published
2025-01-24
Title
Premium Packages < 5.9.7 - Authenticated (Administrator+) SQL Injection
Published
2025-05-01
Title
FULL – Cliente 3.1.5 - 3.1.25 - Authenticated (Subscriber+) SQL Injection
Published
2025-11-07
Title
Quick Featured Images < 13.7.4 - Authenticated (Editor+) SQL Injection via delete_orphaned