Giveaway <= 1.2.2 – Authenticated SQL Injection | CVE 2021-24497 | Plugin Vulnerabilities

Description

The plugin is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $post_id on the options.php page.

Proof of Concept

1. Navigate in Wordpress panel to Settings -> Giveaway

2. Intercept the request in Burp Suite

3. Click on "Select" button at the very top

4. payload: (select*from(select(sleep(10)))a)

5. modify POST parameter "options%5Bpost%5D" with SQLi payload

6. the page will sleep for 10 seconds

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Mesut Cetin

Submitter

Mesut Cetin

Verified

Yes

WPVDB ID

a1cf08fe-943a-4f14-beb0-25216011b538

Timeline

Publicly Published

2021-07-20 (about 4 years ago)

Added

2021-07-20 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2023-12-21

Title

BookIt < 2.4.4 - Authenticated(Administrator+) SQL Injection

Published

2022-12-02

Title

Plugin Logic < 1.0.8 - Admin+ SQLi

Published

2025-03-01

Title

Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.6 - Unauthenticated SQL Injection

Published

2022-02-01

Title

Page Views Count < 2.4.15 - Unauthenticated SQL Injection

Published

2019-07-11

Title

FV Flowplayer Video Player < 7.3.19.727 - SQL Injection