PT-2021-16141 · WordPress · Spidercatalog

Shreya Pohekar

Published

2021-11-08

Updated

2021-11-10

CVE-2021-24625

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SpiderCatalog WordPress plugin versions 1.7.3 and earlier

Description The issue arises from the lack of sanitization or escaping of the parent and ordering parameters from the admin dashboard before they are used in a SQL statement, leading to a SQL injection when adding a category.

Recommendations For SpiderCatalog WordPress plugin versions 1.7.3 and earlier, consider updating to a version that addresses this issue. As a temporary workaround, restrict access to the admin dashboard to minimize the risk of exploitation. Avoid using the parent and ordering parameters in the affected SQL statement until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-24625

Affected Products

Spidercatalog

PT-2021-16141 · WordPress · Spidercatalog

CVE-2021-24625

Weakness Enumeration

Related Identifiers

Affected Products

References · 6