WordPress Plugin Vulnerabilities

Newsletter by Supsystic <= 1.5.6 - Authenticated SQL Injection

Description

The GET parameter "sidx" is used in a SQL statement without being sanitised when searching for subscribers in the dashboard, leading to an authenticated SQL Injection issue.

Proof of Concept

Affects Plugins

Plugin icon
newsletter-by-supsystic
No known fix

References

Exploitdb
49539

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.0 (critical)

Miscellaneous

Original Researcher
Erik David Martin
Verified
Yes
WPVDB ID
559ea8cd-b4f5-4332-b581-9162e9cca5ff

Timeline

Publicly Published
2021-02-08 (about 5 years ago)
Added
2021-02-08 (about 5 years ago)
Last Updated
2021-02-10 (about 5 years ago)

Other

Published
Title
Published
2020-01-30
Title
Registration Magic < 4.6.0.3 - Authenticated SQL Injection via Form_id
Published
2021-07-15
Title
Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection
Published
2015-01-15
Title
Feedweb 2.4.1-3.0.6 - SQL Injection
Published
2025-05-07
Title
YaySMTP < 2.6.5 - Authenticated (Administrator+) SQL Injection
Published
2024-05-15
Title
Tutor LMS < 2.7.1 - Authenticated (Instructor+) SQL Injection