CVE-2021-24285 Information

Description

The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0 available to both authenticated and unauthenticated users does not sanitise validate or escape the order_id POST parameter before using it in a SQL statement leading to a SQL Injection issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://codevigilant.com/disclosure/2021/24-04-2021-wp-plugin-cars-seller-auto-classifieds-script-sql-injection/ https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8