WordPress Plugin Vulnerabilities

Smart Manager < 8.28.0 - Admin+ SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

Affects Plugins

Plugin icon
smart-manager-for-wp-e-commerce
Fixed in 8.28.0

References

CVE
CVE-2024-0566

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ivan Spiridonov
Submitter
Ivan Spiridonov
Submitter website
https://xbz0n.medium.com
Verified
Yes
WPVDB ID
ca83db95-4a08-4615-aa8d-016022404c32

Timeline

Publicly Published
2024-01-18 (about 1 year ago)
Added
2024-01-18 (about 1 year ago)
Last Updated
2024-01-18 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
Couponer <= 1.2 - SQL Injection
Published
2025-04-07
Title
CardGate Payments for WooCommerce < 3.2.2 - Authenticated (Administrator+) SQL Injection
Published
2022-08-08
Title
Leaflet Maps Marker < 3.12.5 - Admin+ SQLi
Published
2025-01-09
Title
AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) < 2.6 - Authenticated (Contributor+) SQL Injection
Published
2014-08-01
Title
ForumConverter - SQL Injection