WordPress Plugin Vulnerabilities

Taskbuilder < 3.0.5 - Admin+ SQL Injection

Description

The plugin does not sanitize user input into the 'load_orders' parameter and uses it in a SQL statement, allowing high privilege users such as admin to perform SQL Injection attacks

Proof of Concept

Affects Plugins

Plugin icon
taskbuilder
Fixed in 3.0.5

References

CVE
CVE-2024-9828

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Ryoma Yamada
Submitter
Ryoma Yamada
Verified
Yes
WPVDB ID
eb2d0932-fd47-4aef-9d08-4377c742bb6e

Timeline

Publicly Published
2024-10-31 (about 1 year ago)
Added
2024-10-31 (about 1 year ago)
Last Updated
2024-10-31 (about 1 year ago)

Other

Published
Title
Published
2022-02-28
Title
BookingPress < 1.0.11 - Unauthenticated SQL Injection
Published
2021-08-06
Title
Block and Stop Bad Bots < 6.60 - Authenticated SQL Injections
Published
2025-02-08
Title
Super Store Finder < 7.1 - Unauthenticated SQL Injection to Stored Cross-Site Scripting
Published
2025-02-12
Title
LTL Freight Quotes – FreightQuote Edition < 2.3.12 - Unauthenticated SQL Injection
Published
2024-09-09
Title
Cost Calculator Builder < 3.2.29 - Admin+ SQL Injection