CVE-2021-24200

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
Configurations

Configuration 1 (hide)

cpe:2.3:a:tms-outsource:wpdatatables:*:*:*:*:premium:wordpress:*:*

History

21 Nov 2024, 05:52

Type Values Removed Values Added
References () https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/ - Third Party Advisory () https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/ - Third Party Advisory
References () https://wpdatatables.com/help/whats-new-changelog/ - Release Notes, Vendor Advisory () https://wpdatatables.com/help/whats-new-changelog/ - Release Notes, Vendor Advisory
References () https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9 - Third Party Advisory () https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9 - Third Party Advisory

Information

Published : 2021-04-12 14:15

Updated : 2024-11-21 05:52


NVD link : CVE-2021-24200

Mitre link : CVE-2021-24200

CVE.ORG link : CVE-2021-24200


JSON object : View

Products Affected

tms-outsource

  • wpdatatables
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')