WordPress Plugin Vulnerabilities

Tipsacarrier < 1.5.0.5 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape various parameters before using them in SQL statements, and is lacking authorisation checks in some calls as well, leading to SQL Injection issues

Vendor was notified on November 26th, 2021, did not reply nor fix the issue

Proof of Concept

Affects Plugins

Plugin icon
tipsacarrier
Fixed in 1.5.0.5

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
98af3034-1091-49e5-839b-01a6edede896

Timeline

Publicly Published
2022-04-05 (about 4 years ago)
Added
2022-04-05 (about 4 years ago)
Last Updated
-0001-11-30 (about 2026 years ago)

Other

Published
Title
Published
2025-02-23
Title
Wishlist < 1.0.42 - Authenticated (Contributor+) SQL Injection
Published
2024-12-11
Title
SeedProd Pro < 6.18.13 - Authenticated (Administrator+) SQL Injection
Published
2024-03-28
Title
CRM Perks Forms < 1.1.5 - Unauthenticated SQL Injection
Published
2024-08-26
Title
SendGrid for WordPress <= 1.4 - Unauthenticated SQL Injection
Published
2025-09-22
Title
Mail Mint < 1.18.7 - Authenticated (Administrator+) SQL Injection