Speed Booster Pack < 4.3.3.1 – Admin+ SQL Injection | CVE 2021-25023 | Plugin Vulnerabilities

Description

The plugin does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=sbp_database_action&sbp_action=convert_tables&sbp_convert_table_name=SQLi&nonce=b2d6208254

The nonce is obtained when Converting a table to InnoDB (/wp-admin/admin.php?page=sbp-settings#tab=database-optimization) and capturing the request

Affects Plugins

speed-booster-pack

Fixed in 4.3.3.1

References

CVE

URL

https://github.com/optimocha/speed-booster-pack/issues/53

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Quan, Hoang Xuan

Verified

Yes

WPVDB ID

4a27d374-f690-4a8a-987a-9e0f56bbe143

Timeline

Publicly Published

2021-10-16 (about 4 years ago)

Added

2021-12-01 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2025-04-09

Title

WP Inquiries <= 0.2.1 - Authenticated (Administrator+) SQL Injection

Published

2014-08-01

Title

WP DS FAQ Plus - Unspecified SQL Injection

Published

2024-11-15

Title

Blogger 301 Redirect <= 2.5.3 - Unauthenticated SQL Injection via br

Published

2024-12-14

Title

Wr Age Verification <= 2.0.0 - Unauthenticated SQL Injection

Published

2017-02-26

Title

Note Press < 0.1.2 - SQL Injection