WordPress Plugin Vulnerabilities

Groundhogg < 2.7.11.1 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable high privilege users such as admin

Affects Plugins

Plugin icon
groundhogg
Fixed in 2.7.11.1

References

CVE
CVE-2023-34179

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
e18f9150-c493-4e8d-92a6-e83068391907

Timeline

Publicly Published
2023-05-30 (about 2 years ago)
Added
2023-11-17 (about 2 years ago)
Last Updated
2023-11-17 (about 2 years ago)

Other

Published
Title
Published
2024-03-20
Title
Avada < 7.11.7 - Authenticated (Admin+) SQL Injection via entry
Published
2024-03-25
Title
Media Library Assistant < 3.14 - Authenticated (Contributor+) SQL Injection via Shortcode
Published
2024-12-17
Title
WordPress Auction <= 3.7 - Editor+ SQL Injection
Published
2014-08-01
Title
WP DS FAQ <= 1.3.2 - ajax.php id Parameter SQL Injection
Published
2021-11-15
Title
Quotes Collection <= 2.5.2 - Admin+ SQL Injection