WordPress Plugin Vulnerabilities

HollerBox < 2.1.4 - Admin+ SQL Injection

Description

The plugin concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database.

Proof of Concept

Affects Plugins

Plugin icon
holler-box
Fixed in 2.1.4

References

CVE
CVE-2023-2111

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
rSolutions Security Team
Submitter
rSolutions Security Team
Submitter website
https://rsolutions.com
Verified
Yes
WPVDB ID
7a0bdd47-c339-489d-9443-f173a83447f2

Timeline

Publicly Published
2023-05-08 (about 2 years ago)
Added
2023-05-08 (about 2 years ago)
Last Updated
2023-05-08 (about 2 years ago)

Other

Published
Title
Published
2015-07-09
Title
WP Statistics <= 9.4 - Authenticated SQL Injection
Published
2015-11-24
Title
Huge IT Google Map <= 2.2.5 - Authenticated SQL Injection
Published
2014-09-26
Title
All In One WP Security plugin 3.8.2 - 2xSQL Injections
Published
2025-09-03
Title
Mail Mint < 1.18.6 - Authenticated (Administrator+) SQL Injection
Published
2024-04-16
Title
SP Project & Document Manager <= 4.71 - Authenticated (Author+) SQL Injeciton