WordPress Plugin Vulnerabilities

WooCommerce Beta Tester < 2.2.4 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Affects Plugins

Plugin icon
woocommerce-beta-tester
Fixed in 2.2.4

References

URL
https://hackerone.com/reports/1998495
URL
https://developer.woocommerce.com/2023/08/23/woocommerce-beta-tester-plugin-deprecation-vulnerability-found/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
teo23mal
Verified
No
WPVDB ID
a6e0b17d-1980-4f65-ae8d-fa7ddca4aaaa

Timeline

Publicly Published
2023-09-12 (about 2 years ago)
Added
2023-09-12 (about 2 years ago)
Last Updated
2023-09-12 (about 2 years ago)

Other

Published
Title
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Author+ SQL Injection
Published
2021-02-08
Title
Membership by Supsystic <= 1.5.0 - Authenticated SQL Injection
Published
2014-08-01
Title
ripe-hd-player 1.0 - ripe-hd-player/config.php id Parameter SQL Injection
Published
2021-12-13
Title
The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection
Published
2019-04-11
Title
Advanced Contact form 7 DB <= 1.6.0 - Authenticated SQL Injection