cnvd - cnvd-2021-29442

CNVD-2021-29442

Vulnerability from cnvd - Published: 2021-04-19

Title

Wordpress WP Google Map SQL注入漏洞

Description

Wordpress WP Google Map是Wordpress的一个应用插件。提供一个将自定义的Google地图或商店定位器快速轻松地添加到WordPress帖子和,或页面中功能。 WordPress plugin WP Google Map Plugin 4.1.5之前版本存在安全漏洞，该漏洞源于插件设置的管理位置页面中，容易受到高级特权用户(admin+) SQL注入的攻击。攻击者可利用该漏洞获取数据库敏感信息。

Severity

中

Patch Name

Wordpress WP Google Map SQL注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wordpress.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-24130

Impacted products

Name
WordPress WP Google Map plugin <4.1.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-24130",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-24130"
    }
  },
  "description": "Wordpress WP Google Map\u662fWordpress\u7684\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\u63d0\u4f9b\u4e00\u4e2a\u5c06\u81ea\u5b9a\u4e49\u7684Google\u5730\u56fe\u6216\u5546\u5e97\u5b9a\u4f4d\u5668\u5feb\u901f\u8f7b\u677e\u5730\u6dfb\u52a0\u5230WordPress\u5e16\u5b50\u548c,\u6216\u9875\u9762\u4e2d\u529f\u80fd\u3002\n\nWordPress plugin WP Google Map Plugin 4.1.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u63d2\u4ef6\u8bbe\u7f6e\u7684\u7ba1\u7406\u4f4d\u7f6e\u9875\u9762\u4e2d\uff0c\u5bb9\u6613\u53d7\u5230\u9ad8\u7ea7\u7279\u6743\u7528\u6237(admin+) SQL\u6ce8\u5165\u7684\u653b\u51fb\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6570\u636e\u5e93\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wordpress.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-29442",
  "openTime": "2021-04-19",
  "patchDescription": "Wordpress WP Google Map\u662fWordpress\u7684\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\u63d0\u4f9b\u4e00\u4e2a\u5c06\u81ea\u5b9a\u4e49\u7684Google\u5730\u56fe\u6216\u5546\u5e97\u5b9a\u4f4d\u5668\u5feb\u901f\u8f7b\u677e\u5730\u6dfb\u52a0\u5230WordPress\u5e16\u5b50\u548c,\u6216\u9875\u9762\u4e2d\u529f\u80fd\u3002\r\n\r\nWordPress plugin WP Google Map Plugin 4.1.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u63d2\u4ef6\u8bbe\u7f6e\u7684\u7ba1\u7406\u4f4d\u7f6e\u9875\u9762\u4e2d\uff0c\u5bb9\u6613\u53d7\u5230\u9ad8\u7ea7\u7279\u6743\u7528\u6237(admin+) SQL\u6ce8\u5165\u7684\u653b\u51fb\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6570\u636e\u5e93\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Wordpress WP Google Map SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress WP Google Map plugin \u003c4.1.5"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-24130",
  "serverity": "\u4e2d",
  "submitTime": "2021-03-19",
  "title": "Wordpress WP Google Map SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2021-24130 (GCVE-0-2021-24130)

Vulnerability from cvelistv5 – Published: 2021-03-18 14:57 – Updated: 2024-08-03 19:21

Title

WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection

Summary

Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+).

Severity ?

No CVSS data available.

CWE

CWE-89 - SQL Injection

Assigner

WPScan

References

URL

Tags

https://wpscan.com/vulnerability/46af9a4d-67ac-4e…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Unknown	WP Google Map Plugin	Affected: 4.1.5 , < 4.1.5 (custom)

Credits

Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:21:18.661Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/46af9a4d-67ac-4e08-a753-a2a44245f4f8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WP Google Map Plugin",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "4.1.5",
              "status": "affected",
              "version": "4.1.5",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": " Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-18T14:57:48",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/46af9a4d-67ac-4e08-a753-a2a44245f4f8"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "WP Google Map Plugin \u003c 4.1.5 - Authenticated SQL Injection",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-24130",
          "STATE": "PUBLIC",
          "TITLE": "WP Google Map Plugin \u003c 4.1.5 - Authenticated SQL Injection"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WP Google Map Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "4.1.5",
                            "version_value": "4.1.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": " Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+)."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-89 SQL Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/46af9a4d-67ac-4e08-a753-a2a44245f4f8",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/46af9a4d-67ac-4e08-a753-a2a44245f4f8"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2021-24130",
    "datePublished": "2021-03-18T14:57:48",
    "dateReserved": "2021-01-14T00:00:00",
    "dateUpdated": "2024-08-03T19:21:18.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-29442

CVE-2021-24130 (GCVE-0-2021-24130)

Tags

Sightings

Nomenclature