WordPress Plugin Vulnerabilities

WP Like Post <= 1.5.2 - Authenticated SQL Injection

Description

It's possible to inject SQL via several points (Client-IP Header for example) when using the [gs_lp_like_post] shortcode. A low-privileged account is necessary for this; subscriber is enough.

Found by: Paul Dannewitz

Other vulnerabilities submitted to wpvulndb: https://wpvulndb.com/search?utf8=%E2%9C%93&text=Paul+Dannewitz

Proof of Concept

Affects Plugins

Plugin icon
wp-like-post
No known fix

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
Paul Dannewitz
Submitter twitter
padannewitz
Verified
No
WPVDB ID
889d51a4-cf3c-4d68-83b9-fffa500063fe

Timeline

Publicly Published
2017-08-25 (about 8 years ago)
Added
2017-09-20 (about 8 years ago)
Last Updated
2017-09-20 (about 8 years ago)

Other

Published
Title
Published
2020-11-08
Title
Abandoned Cart Lite for WooCommerce < 5.8.3 - Unauthenticated SQL Injection
Published
2023-09-15
Title
Horizontal scrolling announcement <= 9.2 - Authenticated (subscriber+) Blind SQL Injection
Published
2022-08-30
Title
WP < 6.0.2 - SQLi via Link API
Published
2025-03-06
Title
Hero Maps Premium - Customizable Google Maps Plugin <= 2.3.9 - Authenticated (Subscriber+) SQL Injection
Published
2024-10-18
Title
SW Contact Form <= 1.0 - Authenticated (Subscriber+) SQL Injection