WordPress Plugin Vulnerabilities

Advanced Database Cleaner < 3.0.2 - Authenticated SQL injection

Description

The plugin did not properly sanitise user input given, allowing high privilege users (admin+) to perform SQL injection attacks.

Proof of Concept

Affects Plugins

Plugin icon
advanced-database-cleaner
Fixed in 3.0.2

References

CVE
CVE-2021-24141
URL
https://plugins.trac.wordpress.org/changeset/2373460

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.7 (medium)

Miscellaneous

Original Researcher
Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
Submitter
khanh
Submitter website
http://research.sun-asterisk.com/
Verified
No
WPVDB ID
5c8adca0-fe19-4624-81ef-465b8d007f93

Timeline

Publicly Published
2020-09-06 (about 5 years ago)
Added
2020-09-06 (about 5 years ago)
Last Updated
2021-01-22 (about 4 years ago)

Other

Published
Title
Published
2024-11-08
Title
WordPress Poll Maker Plugin < 5.4.7 - Authenticated (Administrator+) Time-Based SQL Injection
Published
2023-10-03
Title
Copy Or Move Comments <= 5.0.4 - Authenticated (Subscriber+) SQL Injection
Published
2023-11-23
Title
Porto Theme - Functionality < 2.12.1 - Unauthenticated SQL Injection
Published
2025-03-03
Title
Product Labels For Woocommerce < 1.5.11 - Admin+ SQLi
Published
2016-09-11
Title
MailPoet Newsletters <= 2.7.2 - SQL Injection