WordPress Plugin Vulnerabilities

WP RSS By Publishers <= 0.1 - Admin+ SQLi

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

Affects Plugins

Plugin icon
wp-rss-by-publishers
No known fix

References

CVE
CVE-2022-4359
URL
https://bulletin.iese.de/post/wp-rss-by-publishers_0-1_2

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Daniel Krohmer, Kunal Sharma
Submitter
Daniel Krohmer
Submitter website
https://www.iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
8472dd40-27e3-4084-907a-e251a2a0f339

Timeline

Publicly Published
2022-12-09 (about 3 years ago)
Added
2022-12-09 (about 3 years ago)
Last Updated
-0001-11-30 (about 2026 years ago)

Other

Published
Title
Published
2014-08-01
Title
WordPress <= 1.5.1.1 - SQL Injection
Published
2024-11-15
Title
Post SMTP < 2.9.10 - Admin+ SQLi
Published
2013-04-11
Title
Spider Video Player <= 2.1 - SQL Injection
Published
2025-03-03
Title
Product Labels For Woocommerce < 1.5.11 - Admin+ SQLi
Published
2025-11-11
Title
DB Access <= 0.8.7 - Subscriber+ SQLi