CVE-2021-24762
published 2022-02-01CVE-2021-24762: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.90%
99.7th percentile
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getperfectsurvey | perfect_survey | < 1.5.2 | 1.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor unauthenticated HTTP GET requests to wp-admin/admin-ajax.php with action=get_question and a manipulated question_id parameter (e.g., containing SQL metacharacters or UNION/SELECT payloads) as the injection point. ↗
- →Presence of the wp-ps-session response header is a fingerprint for the vulnerable Perfect Survey plugin being active on the target WordPress installation. ↗
- →Exploitation targets the wp_users table to exfiltrate usernames, emails, and password hashes; monitor for anomalous SQL responses or large data returns from the admin-ajax.php endpoint. ↗
- →The exploit uses sqlmap with the question_id parameter marked as the injection point (*); detect automated SQLi tooling signatures (sqlmap User-Agent) combined with requests to admin-ajax.php?action=get_question. ↗
- ·The vulnerability only affects Perfect Survey plugin versions prior to 1.5.2; version 1.5.1 is confirmed vulnerable. Ensure detection rules are scoped to installations running versions < 1.5.2. ↗
- ·The injection is unauthenticated — no WordPress session or nonce is required, meaning WAF/IDS rules should not filter on authentication state when detecting this attack vector. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mchv-2c9q-xfg9: The Perfect Survey WordPress plugin before 1
ghsa_unreviewed·2022-02-02
CVE-2021-24762 [CRITICAL] CWE-89 GHSA-mchv-2c9q-xfg9: The Perfect Survey WordPress plugin before 1
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
VulnCheck
getperfectsurvey perfect_survey Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-24762 [CRITICAL] getperfectsurvey perfect_survey Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
getperfectsurvey perfect_survey Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
Affected: getperfectsurvey perfect_survey
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-27&host_type=src&vulnerability=cve-2021-24762; https://dash
No detection rules found.
Exploit-DB
WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
exploitdb·2022-02-21·CVSS 9.8
CVE-2021-24762 [CRITICAL] WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
---
# Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
# Date 18.02.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.getperfectsurvey.com/
# Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip
# Version: < 1.5.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24762
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md
'''
Description:
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before
using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users t
Nuclei
WordPress Perfect Survey <1.5.2 - SQL Injection
nuclei·CVSS 9.8
CVE-2021-24762 [CRITICAL] WordPress Perfect Survey <1.5.2 - SQL Injection
WordPress Perfect Survey =7'
- type: word
part: header
words:
- "wp-ps-session"
- type: status
status:
- 404
# digest: 4b0a00483046022100b71d92b21da53614508dc43acb5a86361b080e0736ba83f4400467391de81397022100a2689b177f388a949c5753a86715cab7271d2f9889edd72e490bda48584f1ae1:922c64590222798bb761d5b6d8e72950
Metasploit
WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)
metasploit
WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)
WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)
This module exploits a SQL injection vulnerability in the Perfect Survey plugin for WordPress (version 1.5.1). An unauthenticated attacker can exploit the SQLi to retrieve sensitive information such as usernames, emails, and password hashes from the `wp_users` table.
arXiv
SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences
arxiv_fulltext·2024-05-14
SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences
: Enhancing the CVSS Threat Metric Group with Empirical Evidences
Miguel Santana
Banco de PortugalPortugal
Vinicius V. Cogo
LASIGE, Informática, Faculdade de Ciências, Universidade de LisboaPortugal
Alan Oliveira de Sá
LASIGE, Informática, Faculdade de Ciências, Universidade de LisboaPortugal
printfolios=true
## Abstract
Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code.
Aims: We present , an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes.
Method: adjusts the traditional
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
http://packetstormsecurity.com/files/166072/WordPress-Perfect-Survey-1.5.1-SQL-Injection.htmlhttps://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11adhttp://packetstormsecurity.com/files/166072/WordPress-Perfect-Survey-1.5.1-SQL-Injection.htmlhttps://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
2022-02-01
Published
Exploited in the wild