WordPress Plugin Vulnerabilities

Adicon Server <= 1.2 - Admin+ SQL Injection

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

Affects Plugins

Plugin icon
adicons
No known fix

References

CVE
CVE-2024-7766
YouTube Video

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Sumit Patel
Submitter
Sumit Patel
Submitter website
https://www.linkedin.com/in/ipatelsumit/
Verified
Yes
WPVDB ID
ca4d629e-ab55-4e5d-80c9-fddbc9c97259

Timeline

Publicly Published
2024-08-22 (about 1 year ago)
Added
2024-08-22 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
ActiveHelper LiveHelp Server 3.2.2 - server/frames.php DEPARTMENT Parameter SQL Injection
Published
2016-12-05
Title
WA Form Builder 1.1 - Unauthenticated SQL Injection
Published
2025-01-07
Title
Virtual Bot <= 1.0.0 - Unauthenticated SQL Injection
Published
2014-08-01
Title
My Category Order <= 2.8 - SQL Injection
Published
2025-03-31
Title
My auctions allegro < 3.6.21 - Contributor+ SQLi