CVE-2021-24285
published 2021-05-14CVE-2021-24285: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.70%
96.2th percentile
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cars-seller-auto-classifieds-script_project | cars-seller-auto-classifieds-script | <= 2.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -
otherqzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the parameter 'action=request_list_request' and a SQL-injected 'order_id' value (e.g., containing UNION, SELECT, or comment sequences like '-- -').
- →The vulnerability is exploitable by both authenticated and unauthenticated users via the 'request_list_request' AJAX action, so no session/auth token is required in the POST request.
- →Look for the canary string 'qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq' in HTTP responses to /wp-admin/admin-ajax.php as a positive indicator of successful SQL injection exploitation.
- →The injected payload uses hex-encoded marker strings (0x717a767671, 0x7171786b71) around the exfiltrated data inside a CONCAT() call — look for these hex literals in POST body traffic as a signature of this specific exploit.
- ·The vulnerable plugin version is 'through 2.1.0'; ensure detection rules are scoped to installations running this version or earlier, as patched versions may not be affected.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f9v3-crj2-qwx2: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2
ghsa_unreviewed·2022-05-24
CVE-2021-24285 [CRITICAL] CWE-89 GHSA-f9v3-crj2-qwx2: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
VulnCheck
cars-seller-auto-classifieds-script_project cars-seller-auto-classifieds-script Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-24285 [CRITICAL] cars-seller-auto-classifieds-script_project cars-seller-auto-classifieds-script Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
cars-seller-auto-classifieds-script_project cars-seller-auto-classifieds-script Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
Affected: cars-seller-auto-classifieds-script_project cars-seller-auto-classifieds-script
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot
No detection rules found.
Nuclei
WordPress Car Seller - Auto Classifieds Script - SQL Injection
nuclei·CVSS 9.8
CVE-2021-24285 [CRITICAL] WordPress Car Seller - Auto Classifieds Script - SQL Injection
WordPress Car Seller - Auto Classifieds Script - SQL Injection
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitize, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL injection issue.
Template:
id: CVE-2021-24285
info:
name: WordPress Car Seller - Auto Classifieds Script - SQL Injection
author: ShreyaPohekar
severity: critical
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitize, validate or escape the order_id POST parameter before using it in a SQL statemen
https://codevigilant.com/disclosure/2021/24-04-2021-wp-plugin-cars-seller-auto-classifieds-script-sql-injection/https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162https://codevigilant.com/disclosure/2021/24-04-2021-wp-plugin-cars-seller-auto-classifieds-script-sql-injection/https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
2021-05-14
Published
Exploited in the wild