WordPress Plugin Vulnerabilities

Short URL < 1.6.5 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape the idLink parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Affects Plugins

Plugin icon
shorten-url
Fixed in 1.6.5

References

CVE
CVE-2022-46860

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Le Ngoc Anh
Verified
No
WPVDB ID
0a7bf7e2-bf4a-40af-84f9-3b83dcfba836

Timeline

Publicly Published
2023-06-28 (about 10 months ago)
Added
2023-11-16 (about 6 months ago)
Last Updated
2023-11-16 (about 6 months ago)

Other

Published
Title
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Author+ SQL Injection
Published
2016-02-02
Title
eShop - Authenticated Blind SQL Injection
Published
2023-11-28
Title
WordPress Brute Force Protection < 2.2.6 - Admin+ SQLi
Published
2023-05-11
Title
Slimstat Analytics < 5.0.5 - Admin+ SQLi
Published
2023-06-05
Title
Custom 404 Pro < 3.8.1 - Multiple SQL Injection