WordPress Plugin Vulnerabilities

Speed Booster Pack < 4.3.3.1 - Admin+ SQL Injection

Description

The plugin does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=sbp_database_action&sbp_action=convert_tables&sbp_convert_table_name=SQLi&nonce=b2d6208254

The nonce is obtained when Converting a table to InnoDB (/wp-admin/admin.php?page=sbp-settings#tab=database-optimization) and capturing the request

Affects Plugins

Plugin icon
speed-booster-pack
Fixed in 4.3.3.1

References

CVE
CVE-2021-25023
URL
https://github.com/optimocha/speed-booster-pack/issues/53

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Quan, Hoang Xuan
Verified
Yes
WPVDB ID
4a27d374-f690-4a8a-987a-9e0f56bbe143

Timeline

Publicly Published
2021-10-16 (about 2 years ago)
Added
2021-12-01 (about 2 years ago)
Last Updated
2022-04-09 (about 1 years ago)

Other

Published
Title
Published
2016-05-20
Title
Huge IT Image Gallery < 1.9.0 - Unauthenticated SQL Injection
Published
2014-08-01
Title
WP DS FAQ <= 1.3.2 - ajax.php id Parameter SQL Injection
Published
2014-08-01
Title
My Category Order <= 2.8 - SQL Injection
Published
2022-04-13
Title
Product Filter For WooCommerce Product <= 1.3.0 - Unauthenticated SQLi
Published
2014-08-01
Title
Spider Calendar 1.0.1 - spidercalendarbig_seemore.php calendar_id Parameter SQL Injection