CVE-2021-24521 Side Menu Lite < 2.2.1 - Authenticated SQL Injection

The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack...

Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection

The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages. http://www.example.com/wp-admin/admin.php?page=pms-members-page&orderby=userid&order=asc,select from...

Side Menu Lite < 2.2.6 - Authenticated SQL Injection

The plugin does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to an SQL Injection issue PoC POST /wp-admin/admin.php?page=side-menu-lite=list HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...

Embed Youtube Video <= 1.0 - Authenticated SQL Injection

The editid GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=embed-youtube-video-add&editid=-6425+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL%2CNULL%2CNULL-- HTTP/1.1 Cache-Control: max-age=...

Giveaway <= 1.2.2 - Authenticated SQL Injection

The plugin is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $postid on the options.php page. 1. Navigate in Wordpress panel to Settings - Giveaway 2. Intercept the request in Burp Suite 3. Click on "Select" button at the very to...

Export Users With Meta < 0.6.5 - Authenticated SQL Injection

The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. POST /wp-admin/users.php?page=uewmsettings HTTP/1.1 Accept:...

CVE-2021-31818

Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables...

CVE-2020-24671

Trace Financial CRESTBridge 6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03...

WordPress XCloner Backup, Restore and Migrate plugin <= 4.2.161 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Ngo Van Thien Sun Research & Development WordPress XCloner Backup, Restore and Migrate plugin versions = 4.2.161. Solution Update the WordPress XCloner Backup, Restore and Migrate plugin to the latest available version at least 4.2.163...

Activity Log < 2.7.0 - Authenticated SQL Injection

The plugin was vulnerable to SQL Injection in the order column of the past events table. time curl 'http://www.example.com/wp-admin/admin.php?page=activitylogpage&orderby=histtime%20AND%20SLEEP%280%29' -H 'Cookie: ...'...

CVE-2021-24221 Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to...

WordPress Simple Membership plugin <= 4.0.3 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Martin Vierula in WordPress Simple Membership plugin versions = 4.0.3. Solution Update the WordPress Simple Membership plugin to the latest available version at least 4.0.4...

CVE-2021-24138

Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user...

CVE-2021-24138 AdRotate < 5.8.4 - Authenticated SQL Injection

Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user...

Newsletter by Supsystic <= 1.5.6 - Authenticated SQL Injection

The GET parameter "sidx" is used in a SQL statement without being sanitised when searching for subscribers in the dashboard, leading to an authenticated SQL Injection issue. PoC The PoC will be displayed once the issue has been remediated...

Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection

The POST parameter "datasearchtextlike" was used in a SQL statement without being sanitised when searching for Tables in the dashboard, leading to an authenticated SQL Injection issue. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: YOLO Accept: / Accept-Language:...

Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection

The plugin did not sanitise the mecpostid POST parameter in the mecfesform AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. If the Frontend Event Submission form is embed in a public page, then it could lead to any authenticated user, like subscribers to...

WordPress Slider by 10Web plugin <= 1.2.35 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities

Multiple Authenticated SQL Injection SQLi vulnerabilities found by Nguyen Anh Tien in WordPress Slider by 10Web plugin versions = 1.2.35. Solution Update the WordPress Slider by 10Web plugin to the latest available version at least 1.2.36...

WordPress Recall Products plugin <= 0.8 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability found by ZERO APTITUDE in WordPress Recall Products plugin versions = 0.8. Solution 2020-09-16 - we were unable to find a patched version of this plugin. WordPress.org notification: "This plugin has been closed as of July 28, 2020 and is not availabl...

Recall Products <= 0.8 - Authenticated SQL Injection

The Manufacturer POST parameter is vulnerable to SQL injection when submitting a deletion request. The PoC will be displayed once the issue has been remediated...