WordPress Plugin Vulnerabilities

Mang Board WP < 1.6.9 - SQL Injection

Description

The plugin does not validate and sanitise the order_type parameter before using it in a SQL statement, leading to a SQL injection issue

Affects Plugins

Plugin icon
mangboard
Fixed in 1.6.9

References

CVE
CVE-2021-26609
URL
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36292
URL
https://plugins.trac.wordpress.org/changeset/2553718/mangboard/trunk/includes/mb-actions.php

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Sang Youn Lee
Verified
Yes
WPVDB ID
a38f2dd0-e8b6-4f97-b706-f91c82552a03

Timeline

Publicly Published
2021-10-26 (about 4 years ago)
Added
2021-10-27 (about 4 years ago)
Last Updated
2022-04-08 (about 4 years ago)

Other

Published
Title
Published
2016-07-29
Title
Ultimate Product Catalogue <= 3.9.8 - Unauthenticated Blind SQL Injection
Published
2023-07-12
Title
FluentForm < 5.0.0 - SQL Injection
Published
2023-12-07
Title
ArtPlacer Widget < 2.20.7 - Editor+ SQLi
Published
2025-09-26
Title
AllInOne - Banner Rotator <= 3.8 - Authenticated (Contributor+) SQL Injection
Published
2024-08-19
Title
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) SQL Injection via getLogHistory Function