WordPress Plugin Vulnerabilities

Permalink Manager Lite < 2.2.13.1 - Admin+ SQL Injection

Description

The plugin does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection

Proof of Concept

Affects Plugins

Plugin icon
permalink-manager
Fixed in 2.2.13.1

References

CVE
CVE-2021-24769

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
bl4derunner
Submitter
Anton Sarsadskikh
Verified
Yes
WPVDB ID
a2f211af-5373-425f-9964-ebbf5efde87b

Timeline

Publicly Published
2021-09-27 (about 4 years ago)
Added
2021-09-27 (about 4 years ago)
Last Updated
2022-04-14 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
Wordpress 2.2 - XML-RPC SQL Injection
Published
2024-01-03
Title
pTypeConverter <= 0.2.8.1 - Authenticated (Editor+) SQL Injection
Published
2025-04-17
Title
WPAMS <= 44.0 (17-08-2023) - Authenticated (Subscriber+) SQL Injection
Published
2019-07-18
Title
Everest Forms < 1.5.0 - SQL Injection
Published
2024-11-08
Title
Horsemanager <= 1.3 - Authenticated (Contributor+) SQL Injection