CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24492 – Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection
https://notcve.org/view.php?id=CVE-2021-24492
The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue. La llamada AJAX hndtst_action_instance_callback del plugin de WordPress Handsome Testimonials & Reviews versiones anteriores a 2.1.1, disponible para cualquier usuario autenticado, no sanea, comprueba ni escapa del parámetro POST hndtst_previewShortcodeInstanceId antes de usarlo en una sentencia SQL, conllevando a un problema de inyección SQL • https://codevigilant.com/disclosure/2021/wp-plugin-handsome-testimonials https://wpscan.com/vulnerability/42760007-0e59-4d45-8d64-86bc0b8dacea • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •