This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: SQL Injection (SQLi) in 'Car Seller - Auto Classifieds Script' WP plugin. π₯ **Consequences**: Attackers can manipulate SQL queries via the `order_id` POST parameter.β¦
π‘οΈ **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command. π **Flaw**: The plugin fails to sanitize, validate, or escape the `order_id` parameter before injecting it into SQL statements.β¦
π¦ **Product**: Car Seller - Auto Classifieds Script WordPress Plugin. π **Affected Versions**: Version 2.1.0 and all previous versions. π’ **Vendor**: Unknown.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Privileges**: Exploitable by both **Authenticated** and **Unauthenticated** users. πΎ **Data Impact**: Full SQL injection capabilities.β¦
β‘ **Threshold**: LOW. πͺ **Auth**: No authentication required! The vulnerability exists in the `request_list_request` AJAX call, accessible to anyone visiting the site. This makes it extremely easy to exploit.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exp?**: YES. π **PoC**: Available via Nuclei templates (projectdiscovery/nuclei-templates).β¦
π₯ **Urgency**: HIGH. π¨ **Priority**: Critical. Since it affects unauthenticated users and has public PoCs, immediate action is required. Patch or disable the plugin ASAP to prevent data breaches.