Vulnerability-Lookup

CVE-2021-24303 (GCVE-0-2021-24303)

Vulnerability from cvelistv5 – Published: 2021-09-06 11:09 – Updated: 2024-08-03 19:28

Title

JiangQie Official Website Mini Program < 1.1.1 - Authenticated SQL Injection

Summary

The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues

Severity ?

No CVSS data available.

CWE

CWE-89 - SQL Injection

Assigner

WPScan

References

URL

Tags

	https://wpscan.com/vulnerability/cbd65b7d-d3c3-4e…	x_refsource_MISC
	https://github.com/ja9er/CVEProject/blob/main/wor…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Unknown	JiangQie Official Website Mini Program	Affected: 1.1.1 , < 1.1.1 (custom)

Credits

wangxiaohui@webray.com.cn inc

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:28:23.552Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "JiangQie Official Website Mini Program",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "1.1.1",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "wangxiaohui@webray.com.cn inc"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-06T11:09:18.000Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "JiangQie Official Website Mini Program \u003c 1.1.1 - Authenticated SQL Injection",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-24303",
          "STATE": "PUBLIC",
          "TITLE": "JiangQie Official Website Mini Program \u003c 1.1.1 - Authenticated SQL Injection"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "JiangQie Official Website Mini Program",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "1.1.1",
                            "version_value": "1.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "wangxiaohui@webray.com.cn inc"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-89 SQL Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
            },
            {
              "name": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md",
              "refsource": "MISC",
              "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2021-24303",
    "datePublished": "2021-09-06T11:09:18.000Z",
    "dateReserved": "2021-01-14T00:00:00.000Z",
    "dateUpdated": "2024-08-03T19:28:23.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-24303",
      "date": "2026-05-04",
      "epss": "0.00582",
      "percentile": "0.69006"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jiangqie:official_website_mini_program:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"1.1.1\", \"matchCriteriaId\": \"779FF20E-57FA-4AD9-950A-7207D39AC2AA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues\"}, {\"lang\": \"es\", \"value\": \"El plugin de WordPress JiangQie Official Website Mini Program versiones anteriores a 1.1.1, no escapa ni comprueba el par\\u00e1metro id GET antes de usarlo en sentencias SQL, conllevando a problemas de inyecci\\u00f3n SQL.\"}]",
      "id": "CVE-2021-24303",
      "lastModified": "2024-11-21T05:52:48.063",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-09-06T11:15:07.507",
      "references": "[{\"url\": \"https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-24303\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2021-09-06T11:15:07.507\",\"lastModified\":\"2024-11-21T05:52:48.063\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues\"},{\"lang\":\"es\",\"value\":\"El plugin de WordPress JiangQie Official Website Mini Program versiones anteriores a 1.1.1, no escapa ni comprueba el par\u00e1metro id GET antes de usarlo en sentencias SQL, conllevando a problemas de inyecci\u00f3n SQL.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jiangqie:official_website_mini_program:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"1.1.1\",\"matchCriteriaId\":\"779FF20E-57FA-4AD9-950A-7207D39AC2AA\"}]}]}],\"references\":[{\"url\":\"https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

GHSA-PJ62-VWGH-4FWM

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13

Details

The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-24303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-06T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues",
  "id": "GHSA-pj62-vwgh-4fwm",
  "modified": "2022-05-24T19:13:05Z",
  "published": "2022-05-24T19:13:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

FKIE_CVE-2021-24303

Vulnerability from fkie_nvd - Published: 2021-09-06 11:15 - Updated: 2024-11-21 05:52

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues

References

URL	Tags
contact@wpscan.com	https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md	Exploit, Third Party Advisory
contact@wpscan.com	https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	jiangqie	official_website_mini_program	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jiangqie:official_website_mini_program:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "779FF20E-57FA-4AD9-950A-7207D39AC2AA",
              "versionEndExcluding": "1.1.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues"
    },
    {
      "lang": "es",
      "value": "El plugin de WordPress JiangQie Official Website Mini Program versiones anteriores a 1.1.1, no escapa ni comprueba el par\u00e1metro id GET antes de usarlo en sentencias SQL, conllevando a problemas de inyecci\u00f3n SQL."
    }
  ],
  "id": "CVE-2021-24303",
  "lastModified": "2024-11-21T05:52:48.063",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-09-06T11:15:07.507",
  "references": [
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
    },
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "contact@wpscan.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2021-70740

Vulnerability from cnvd - Published: 2021-09-14

Title

WordPress SQL注入漏洞（CNVD-2021-70740）

Description

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress JiangQie 1.1.1之前版本存在SQL注入漏洞，该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。

Severity

中

Patch Name

WordPress SQL注入漏洞（CNVD-2021-70740）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30

Reference

https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30

Impacted products

Name
WordPress JiangQie Official Website Mini Program <1.1.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-24303"
    }
  },
  "description": "WordPress\u662fWordPress\uff08Wordpress\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\n\nWordPress JiangQie 1.1.1\u4e4b\u524d\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u57fa\u4e8e\u6570\u636e\u5e93\u7684\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-70740",
  "openTime": "2021-09-14",
  "patchDescription": "WordPress\u662fWordPress\uff08Wordpress\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\n\r\nWordPress JiangQie 1.1.1\u4e4b\u524d\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u57fa\u4e8e\u6570\u636e\u5e93\u7684\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2021-70740\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress JiangQie Official Website Mini Program \u003c1.1.1"
  },
  "referenceLink": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30",
  "serverity": "\u4e2d",
  "submitTime": "2021-09-08",
  "title": "WordPress SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2021-70740\uff09"
}

GSD-2021-24303

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues

Aliases

CVE-2021-24303

Aliases

CVE-2021-24303

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-24303",
    "description": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues",
    "id": "GSD-2021-24303"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-24303"
      ],
      "details": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues",
      "id": "GSD-2021-24303",
      "modified": "2023-12-13T01:23:37.714816Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "contact@wpscan.com",
        "ID": "CVE-2021-24303",
        "STATE": "PUBLIC",
        "TITLE": "JiangQie Official Website Mini Program \u003c 1.1.1 - Authenticated SQL Injection"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "JiangQie Official Website Mini Program",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.1.1",
                          "version_value": "1.1.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Unknown"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "wangxiaohui@webray.com.cn inc"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues"
          }
        ]
      },
      "generator": "WPScan CVE Generator",
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-89 SQL Injection"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30",
            "refsource": "MISC",
            "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
          },
          {
            "name": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md",
            "refsource": "MISC",
            "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:jiangqie:official_website_mini_program:*:*:*:*:*:wordpress:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.1.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-24303"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ja9er/CVEProject/blob/main/wordpress_jiangqie-official-website-mini-program_sqli.md"
            },
            {
              "name": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://wpscan.com/vulnerability/cbd65b7d-d3c3-4ee3-8e5e-ff0eeeaa7b30"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-09-09T19:52Z",
      "publishedDate": "2021-09-06T11:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-24303 (GCVE-0-2021-24303)

GHSA-PJ62-VWGH-4FWM

FKIE_CVE-2021-24303

CNVD-2021-70740

GSD-2021-24303

Tags

Sightings

Nomenclature