WordPress Plugin Vulnerabilities

WP Cloudy < 4.4.9 - Admin+ SQL Injection

Description

The plugin does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue

Proof of Concept

The first digits of the post parameter must be a valid Post ID (Weather post or not) 

https://example.com/wp-admin/admin.php?action=wpc_duplicate_post_as_draft&post=1%20and%20sleep(10)%23

Affects Plugins

Plugin icon
wp-cloudy
Fixed in 4.4.9

References

CVE
CVE-2021-24864
URL
https://plugins.trac.wordpress.org/changeset/2615400

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Verified
Yes
WPVDB ID
e3b9ee9f-602d-4e9d-810c-e1e3ba604464

Timeline

Publicly Published
2021-10-13 (about 2 years ago)
Added
2022-01-26 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2024-02-06
Title
Podlove Subscribe button < 1.3.11 - Authenticated (Contributor+) SQL Injection
Published
2023-11-28
Title
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint
Published
2021-10-11
Title
Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
Published
2021-09-20
Title
MainWP Child Reports < 2.0.8 - Admin+ SQL Injection
Published
2023-09-18
Title
wpDiscuz < 7.6.6 - Unauthenticated SQL Injection