WordPress Plugin Vulnerabilities

Build App Online < 1.0.19 - Unauthenticated SQL Injection

Description

The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Proof of Concept

Affects Plugins

Plugin icon
build-app-online
Fixed in 1.0.19

References

CVE
CVE-2022-3241

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Francesco Marano, Donato Di Pasquale
Submitter
Donato Di Pasquale
Verified
Yes
WPVDB ID
a995dd67-43fc-4087-a7f1-5db57f4c828c

Timeline

Publicly Published
2022-12-06 (about 3 years ago)
Added
2022-12-07 (about 3 years ago)
Last Updated
2022-12-07 (about 3 years ago)

Other

Published
Title
Published
2024-05-23
Title
Search & Replace < 3.2.2 - Administrator+ SQL injection
Published
2021-07-27
Title
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
Published
2015-11-24
Title
WordPress Meta Robots <= 2.1 - Authenticated Blind SQL Injection
Published
2025-01-20
Title
Social Share, Social Login and Social Comments Plugin – Super Socializer < 7.14.1 - Unauthenticated Limited SQL Injection via 'SuperSocializerKey'
Published
2024-08-01
Title
Easy Digital Downloads < 3.3.1 - Unauthenticated SQL Injection