cbcvebase.
CVE-2021-24762
published 2022-02-01

CVE-2021-24762: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.90%
99.7th percentile
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
getperfectsurveyperfect_survey< 1.5.21.5.2

Detection & IOCsextracted from sources · hover to see the quote

cookiewp-ps-session
  • Monitor unauthenticated HTTP GET requests to wp-admin/admin-ajax.php with action=get_question and a manipulated question_id parameter (e.g., containing SQL metacharacters or UNION/SELECT payloads) as the injection point.
  • Presence of the wp-ps-session response header is a fingerprint for the vulnerable Perfect Survey plugin being active on the target WordPress installation.
  • Exploitation targets the wp_users table to exfiltrate usernames, emails, and password hashes; monitor for anomalous SQL responses or large data returns from the admin-ajax.php endpoint.
  • The exploit uses sqlmap with the question_id parameter marked as the injection point (*); detect automated SQLi tooling signatures (sqlmap User-Agent) combined with requests to admin-ajax.php?action=get_question.
  • ·The vulnerability only affects Perfect Survey plugin versions prior to 1.5.2; version 1.5.1 is confirmed vulnerable. Ensure detection rules are scoped to installations running versions < 1.5.2.
  • ·The injection is unauthenticated — no WordPress session or nonce is required, meaning WAF/IDS rules should not filter on authentication state when detecting this attack vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.