PT-2021-16146 · WordPress · Schreikasten Wordpress Plugin

Shreya Pohekar

Published

2021-11-08

Updated

2021-11-10

CVE-2021-24630

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Schreikasten WordPress plugin versions prior to 0.14.19

Description The issue concerns the Schreikasten WordPress plugin, where the id GET parameter is not properly sanitized or escaped before being used in SQL statements. This can lead to authenticated SQL injections, which can be exploited by users with author privileges or higher in the comments dashboard.

Recommendations For Schreikasten WordPress plugin versions prior to 0.14.19, update to version 0.14.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the comments dashboard for low-privileged users, such as authors, until the update is applied.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-24630

Affected Products

Schreikasten Wordpress Plugin

PT-2021-16146 · WordPress · Schreikasten Wordpress Plugin

CVE-2021-24630

Weakness Enumeration

Related Identifiers

Affected Products

References · 4