Conversios.io < 4.6.2 - Subscriber+ SQL Injection
CVE-2021-24952

8.8HIGH

Key Information:

Vendor: Wordpress
Status: ConversiOS.io – Google Analytics And Google Shopping Plugin For WooCommerce
Vendor: CVE Published:; 7 March 2022

Summary

The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks.

Affected Version(s)

Conversios.io – Google Analytics and Google Shopping plugin for WooCommerce 4.6.2

References

https://wpscan.com/vulnerability/cbb8fa9f-1c84-4410-ae86-...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

JrXnm