QwikSec

Security Database

CVE

CWE

Training

CVE-2021-25076

Published: Jan 24, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

Vendor	Product	Versions
Unknown	WP User Frontend – Membership, Profile, Registration & Post Submission Plugin for WordPress	affected `3.5.26 - < 3.5.26`

Weaknesses (CWE)

References

https://wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6

x_refsource_MISC

https://plugins.trac.wordpress.org/changeset/2648715

x_refsource_CONFIRM

http://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQL-Injection.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.