WordPress Plugin Vulnerabilities

Post Content XMLRPC <= 1.0 - Admin+ SQL Injections

Description

The plugin does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections

Proof of Concept

Affects Plugins

Plugin icon
post-content-xmlrpc
No known fix

References

CVE
CVE-2021-24629
URL
https://codevigilant.com/disclosure/2021/wp-plugin-post-content-xmlrpc/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.6 (high)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
fb42980c-93e5-42d5-a478-c2b348eaea67

Timeline

Publicly Published
2021-10-07 (about 4 years ago)
Added
2021-10-07 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2023-11-06
Title
WP Reroute Email < 1.4.8 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Published
2023-04-18
Title
Email posts to subscribers <= 6.2 - Unauthenticated SQLi
Published
2025-06-05
Title
Persian Woocommerce SMS < 7.1.0 - Authenticated (Shop manager+) SQL Injection
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Admin+ SQL Injection
Published
2023-11-07
Title
Master Slider Pro <= 3.6.5 - Authenticated (Editor+) SQL Injection