Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections
CVE-2021-24741

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Support Board
Vendor: CVE Published:; 20 September 2021

Badges

👾 Exploit Exists🟣 EPSS 58%

What is CVE-2021-24741?

The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.

Affected Version(s)

Support Board 3.3.4

References

https://medium.com/%40lijohnjefferson/multiple-sql-inject...

x_refsource_MISC

https://wpscan.com/vulnerability/ccf293ec-7607-412b-b662-...

x_refsource_MISC

https://board.support/changes

x_refsource_MISC

EPSS Score

58% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 20, 2021
🟡
Public PoC available
Aug 28, 2021
👾
Exploit known to exist
Aug 28, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

John Jefferson Li

JSON

Wordpress

Badges

What is CVE-2021-24741?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit