Published: 24/01/2022 Updated: 18/03/2022

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

The WP User Frontend WordPress plugin prior to 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

Vulnerable Product	Search on Vulmon	Subscribe to Product
wedevs wp user frontend

WordPress WP User Frontend plugin version 3525 suffers from an authenticated remote SQL injection vulnerability ...

Wordpress Plugin WP User Frontend < 3.5.26 - SQL-Injection (Authenticated)

CVE-2021-25076-Exploit Wordpress Plugin WP User Frontend < 3526 - SQL-Injection (Authenticated) CVE description: The WP User Frontend WordPress plugin before 3526 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection Due to the lack of sanitisation and escaping, this could also

CWE-89 https://wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6 https://plugins.trac.wordpress.org/changeset/2648715 http://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQL-Injection.html https://nvd.nist.gov https://github.com/0xAbbarhSF/CVE-2021-25076 https://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQL-Injection.html

CVE-2021-25076

Vulnerability Summary

Vulnerability Trend

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect