WP Advanced Search <= 1.1.6 – Admin+ SQL Injection | CVE 2024-3265 | Plugin Vulnerabilities

Description

The plugin does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations.

Proof of Concept

1. Log in as an administrator
2. Visit /wp-admin/admin.php?page=advance-search and create a new shortcode
3. In the "Post Type" section, fill the "List of Post Meta Keys" field with the following PoC:

', data=(SELECT sleep(10) FROM wp_users)-- a

4. Save the shortcode, and notice the requests takes a long time to finish, indicating our `sleep(10)` instruction executed in the context of an SQL query.

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

fourcade

Submitter

fourcade

Verified

Yes

WPVDB ID

ecb74622-eeed-48b6-a944-4e3494d6594d

Timeline

Publicly Published

2024-04-04 (about 1 year ago)

Added

2024-04-04 (about 1 year ago)

Last Updated

2024-04-25 (about 1 year ago)

Other

Published

Title

Published

2024-12-02

Title

FAT Services Booking <= 5.6 - Unauthenticated SQL Injection

Published

2025-03-31

Title

RSVPMarker < 11.6.8 - Unauthenticated SQL Injection

Published

2025-03-18

Title

AHAthat Plugin <= 1.6 - Authenticated (Administrator+) SQL Injection via id Parameter

Published

2015-05-04

Title

Pie Register 2.0.14-2.0.15 - SQL Injection

Published

2012-01-20

Title

Mingle Forum < 1.0.33 - Multiple SQL Injection