CVE-2021-43408 : The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulne

The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.

Published 2021-11-19 16:15:08

Updated 2021-11-24 16:53:12

Source AppCheck Ltd.

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2021-43408

Duplicate Post Project » Duplicate Post » For Wordpress
Versions up to, including, (<=) 1.1.9
cpe:2.3:a:duplicate_post_project:duplicate_post:*:*:*:*:*:wordpress:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-43408

EPSS FAQ

31.28%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 96 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-43408

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N	1.2	5.2	AppCheck Ltd.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-43408

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Assigned by:
- info@appcheck-ng.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2021-43408

https://plugins.trac.wordpress.org/browser/copy-delete-posts/tags/1.2.0/post/handler.php#L510

handler.php in copy-delete-posts/tags/1.2.0/post – WordPress Plugin Repository
Third Party Advisory
https://appcheck-ng.com/security-advisory-duplicate-post-wordpress-plugin-sql-injection-vulnerability/

Duplicate Post WordPress Plugin SQL Injection Vulnerability
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-43408

Products affected by CVE-2021-43408

Exploit prediction scoring system (EPSS) score for CVE-2021-43408

CVSS scores for CVE-2021-43408

CWE ids for CVE-2021-43408

References for CVE-2021-43408