Speed Booster Pack < 4.3.3.1 – Admin+ SQL Injection | CVE 2021-25023 | Plugin Vulnerabilities

Description

The plugin does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=sbp_database_action&sbp_action=convert_tables&sbp_convert_table_name=SQLi&nonce=b2d6208254

The nonce is obtained when Converting a table to InnoDB (/wp-admin/admin.php?page=sbp-settings#tab=database-optimization) and capturing the request

Affects Plugins

speed-booster-pack

Fixed in 4.3.3.1

References

CVE

URL

https://github.com/optimocha/speed-booster-pack/issues/53

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Quan, Hoang Xuan

Verified

Yes

WPVDB ID

4a27d374-f690-4a8a-987a-9e0f56bbe143

Timeline

Publicly Published

2021-10-16 (about 2 years ago)

Added

2021-12-01 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2021-03-15

Title

Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_answers_by_question

Published

2014-08-01

Title

oQey Gallery <= 0.4.8 - SQL Injection

Published

2019-03-15

Title

Better Search 2.2.2 - Unauthenticated SQL Injection

Published

2014-08-01

Title

Wp-ImageZoom - zoom.php id Parameter SQL Injection

Published

2022-08-01

Title

Better Search and Replace < 1.4.1 - Admin+ SQLi