WordPress Plugin Vulnerabilities

WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection

Description

The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue.

Proof of Concept

Affects Plugins

Plugin icon
wp-google-maps
Fixed in 7.11.18

References

CVE
CVE-2019-10692
Exploitdb
48918
URL
auxiliary/admin/http/wp_google_maps_sqli
URL
https://packetstormsecurity.com/files/#159640/
URL
https://plugins.trac.wordpress.org/changeset/2061434/wp-google-maps/trunk/includes/class.rest-api.php

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Thomas Chauchefoin
Verified
No
WPVDB ID
475404ce-2a1a-4d15-bf02-df0ea2afdaea

Timeline

Publicly Published
2019-04-02 (about 7 years ago)
Added
2019-04-02 (about 7 years ago)
Last Updated
2020-11-19 (about 5 years ago)

Other

Published
Title
Published
2022-02-16
Title
Simple Quotation <= 1.3.2 - Subscriber+ SQL injection
Published
2023-12-29
Title
Recipe Maker For Your Food Blog from Zip Recipes < 8.1.1 - Authenticated(Contributor+) SQL Injection
Published
2018-12-28
Title
Adicon Server <= 1.2 - SQL Injection
Published
2025-07-17
Title
B1.lt for WooCommerce < 2.2.57 - Authenticated (Subscriber+) SQL Injection
Published
2022-02-07
Title
RegistrationMagic < 5.0.2.2 - Admin+ SQL Injection