WordPress Plugin Vulnerabilities

Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

Description

The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address

Proof of Concept

Affects Plugins

Plugin icon
contest-gallery
Fixed in 13.1.0.6

References

CVE
CVE-2021-24915
URL
https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Tyler Miller
Submitter
Tyler Miller
Submitter twitter
_treadwater
Verified
Yes
WPVDB ID
45ee86a7-1497-4c81-98b8-9a8e5b3d4fac

Timeline

Publicly Published
2021-11-01 (about 4 years ago)
Added
2021-11-01 (about 4 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2021-12-06
Title
Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
Published
2022-01-19
Title
WP HTML Mail < 3.1 - Unprotected REST-API Endpoint
Published
2021-04-14
Title
BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities
Published
2022-01-06
Title
Ultimate Product Catalog < 5.0.26 - Subscriber+ Arbitrary Product Creation & Settings Update
Published
2021-08-18
Title
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls