PT-2021-16074 · WordPress · Paytm – Donation Plugin

Shreya Pohekar

Published

2021-08-23

Updated

2021-08-26

CVE-2021-24554

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Paytm – Donation Plugin WordPress plugin versions 1.3.2 and earlier

Description The issue arises from the plugin's failure to sanitise, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue.

Recommendations For Paytm – Donation Plugin WordPress plugin versions 1.3.2 and earlier, update to a version that addresses this issue. As a temporary workaround, consider restricting access to the donation deletion functionality to minimize the risk of exploitation. Avoid using the id GET parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-24554

Affected Products

Paytm – Donation Plugin

PT-2021-16074 · WordPress · Paytm – Donation Plugin

CVE-2021-24554

Weakness Enumeration

Related Identifiers

Affected Products

References · 6