WordPress Plugin Vulnerabilities

10Web Social Post Feed < 1.1.27 - Authenticated SQL Injection

Description

Authenticated SQL injection in the 10Web Social Post Feed WordPress Plugin 1.1.26 via the /wordpress/wp-admin/admin.php?page=info_ffwd search_value parameter.

Proof of Concept

Affects Plugins

Plugin icon
wd-facebook-feed
Fixed in 1.1.27

References

URL
https://plugins.trac.wordpress.org/changeset/2378178

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Vu Tien Hoa - SunCSR (Sun* Cyber Security Research)
Submitter
Vu Tien Hoa
Submitter website
https://research.sun-asterisk.com/en
Submitter twitter
hoavt184
Verified
Yes
WPVDB ID
7425a58c-fe36-4513-bd9e-5a0fbde9a892

Timeline

Publicly Published
2020-09-11 (about 5 years ago)
Added
2020-09-11 (about 5 years ago)
Last Updated
2020-09-11 (about 5 years ago)

Other

Published
Title
Published
2014-12-02
Title
SP Client Document Manager < 2.4.4 - Multiple SQL Injection
Published
2026-01-15
Title
CleverReach® WP < 1.5.22 - Unauthenticated SQL Injection via id
Published
2025-01-15
Title
Passwords Manager < 1.5.1 - Missing Authorization to Authenticated (Subscriber+) Add Password + Update Encryption Key
Published
2022-08-23
Title
BadgeOS < 3.7.1.3 - Subscriber+ SQLi
Published
2024-07-22
Title
ListingPro Plugin <= 2.9.3 - Unauthenticated SQL Injection