WP-Recall < 16.26.12 – Admin+ SQL Injection | CVE 2024-9770 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

1. Dashboard -> WP-RECALL -> Add-ons -> Activate Commerce
2. Dashboard -> Rcl Commerce -> Export/Import -> Click "Upload products to a file"
3. Intercept the request and modify the first product[fields] field to `sleep(1)%20FROM%20wp_posts%20%3B%23%20`
4. Observe the delay showing successful SQL injection

Affects Plugins

Fixed in 16.26.12

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

y4ng0615

Submitter

y4ng0615

Verified

Yes

WPVDB ID

d31f8713-b807-4ac4-8897-7d62a93bb2db

Timeline

Publicly Published

2025-03-04 (about 9 months ago)

Added

2025-03-04 (about 9 months ago)

Last Updated

2025-03-04 (about 9 months ago)

Other

Published

Title

Published

2025-11-07

Title

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI < 3.40.1 - Authenticated (Editor+) SQL Injection

Published

2016-12-12

Title

WP Support Plus Responsive Ticket System < 8.0.0 – Authenticated SQL Injection

Published

2025-06-30

Title

LMS <= 9.1 - Unauthenticated SQL Injection

Published

2025-05-14

Title

File Provider <= 1.2.3 - Unauthenticated SQLi

Published

2021-07-15

Title

WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection