WordPress Plugin Vulnerabilities

User Control - Unauthenticated SQL Injection

Description

The User Control plugin has a vulnerability that allows every (unauthenticated) website visitor to perform arbitrary SQL queries.

Affects Plugins

Plugin icon
user-control
No known fix

References

URL
https://gist.github.com/JustThomas/cc6251400b2f7f4f7d4ed900798e9364

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
JustThomas
Submitter website
https://github.com/JustThomas
Verified
No
WPVDB ID
7257f4f7-ab6a-433b-bd22-cf106ca4a6fb

Timeline

Publicly Published
2018-01-28 (about 8 years ago)
Added
2018-01-29 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2019-08-27
Title
Nextgen Gallery < 3.2.11 - SQL Injection
Published
2014-08-01
Title
bbPress - Multiple Script Malformed Input Path Disclosure
Published
2025-06-05
Title
Persian Woocommerce SMS < 7.1.0 - Authenticated (Shop manager+) SQL Injection
Published
2025-05-08
Title
SMS Alert Order Notifications – WooCommerce < 3.8.2 - Unauthenticated SQL Injection
Published
2025-02-23
Title
WP Yelp Review Slider < 8.2 - Authenticated (Administrator+) SQL Injection