JoomSport < 5.1.8 – Unauthenticated PHP Object Injection | CVE 2021-24384

Description

The joomsport_md_load AJAX action of the plugin, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE

Proof of Concept

POST /wp-admin/admin-ajax.php
[...]

action=joomsport_md_load&mdId=1&shattr=Tzo0OiJURVNUIjowOnt9

Affects Plugins

joomsport-sports-league-results-management

Fixed in 5.1.8

References

CVE

CVE-2021-24384

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

Bugbang

Submitter

Bugbang

Submitter twitter

xBugBang

Verified

Yes

WPVDB ID

fb6c407c-713c-4e83-92ce-4e5f791be696

Timeline

Publicly Published

2021-06-08 (about 4 years ago)

Added

2021-06-08 (about 4 years ago)

Last Updated

2022-01-17 (about 4 years ago)

Other

Published

Title

Published

2025-04-21

Title

Altair <= 5.2.2 - Unauthenticated PHP Object Injection

Published

2025-01-30

Title

iControlWP – Multiple WordPress Site Manager < 4.5.0 - Unauthenticated PHP Object Injection

Published

2024-01-30

Title

PropertyHive < 2.0.6 - Unauthenticated PHP Object Injection via propertyhive_currency

Published

2024-03-26

Title

WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing) < 1.3.3 - Unauthenticated PHP Object Injection

Published

2024-01-31

Title

ERE Recently Viewed < 2.0 - Unauthenticated PHP Object Injection