CVE-2021-24741
published 2021-09-20CVE-2021-24741: The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.52%
91.8th percentile
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| schiocco | support_board_chat_and_help_desk | < 3.3.4 | 3.3.4 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://board.support/changeshttps://medium.com/%40lijohnjefferson/multiple-sql-injection-unauthenticated-in-support-board-v-3-3-3-3e9b4214a4f9https://wpscan.com/vulnerability/ccf293ec-7607-412b-b662-5e237b8690cahttps://board.support/changeshttps://medium.com/%40lijohnjefferson/multiple-sql-injection-unauthenticated-in-support-board-v-3-3-3-3e9b4214a4f9https://wpscan.com/vulnerability/ccf293ec-7607-412b-b662-5e237b8690ca
2021-09-20
Published