WordPress Plugin Vulnerabilities

Search Logger <= 0.9 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users

Proof of Concept

Affects Plugins

Plugin icon
search-logger
No known fix

References

CVE
CVE-2022-3131

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Mika
Submitter
Mika
Submitter website
https://mikadmin.fr/
Submitter twitter
mika_sec
Verified
Yes
WPVDB ID
b6c62e53-ae49-4fe0-aed9-0c493fc4442d

Timeline

Publicly Published
2022-09-20 (about 3 years ago)
Added
2022-09-20 (about 3 years ago)
Last Updated
2022-09-20 (about 3 years ago)

Other

Published
Title
Published
2024-12-11
Title
SQL Chart Builder < 2.3.7 - Authenticated (Contributor+) SQL Injection
Published
2022-12-21
Title
Fontsy <= 1.8.6 - Multiple Unauthenticated SQLi
Published
2014-08-01
Title
All-in-One Event Calendar 1.9 - index.php Multiple Parameter SQL Injection
Published
2014-08-01
Title
WordPress Landing Pages < 1.2.3 - module.redirect-ab-testing.php permalink_name Parameter SQL Injection
Published
2025-01-03
Title
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts < 2.6.17 - Authenticated (Subscriber+) SQL Injection