cbcvebase.
CVE-2021-24285
published 2021-05-14

CVE-2021-24285: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.70%
96.2th percentile
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
cars-seller-auto-classifieds-script_projectcars-seller-auto-classifieds-script<= 2.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -
otherqzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the parameter 'action=request_list_request' and a SQL-injected 'order_id' value (e.g., containing UNION, SELECT, or comment sequences like '-- -').
  • The vulnerability is exploitable by both authenticated and unauthenticated users via the 'request_list_request' AJAX action, so no session/auth token is required in the POST request.
  • Look for the canary string 'qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq' in HTTP responses to /wp-admin/admin-ajax.php as a positive indicator of successful SQL injection exploitation.
  • The injected payload uses hex-encoded marker strings (0x717a767671, 0x7171786b71) around the exfiltrated data inside a CONCAT() call — look for these hex literals in POST body traffic as a signature of this specific exploit.
  • ·The vulnerable plugin version is 'through 2.1.0'; ensure detection rules are scoped to installations running this version or earlier, as patched versions may not be affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.