cbcvebase.
CVE-2021-24849
published 2021-12-21

CVE-2021-24849: The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.48%
94.3th percentile
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections

Affected

1 ranges
VendorProductVersion rangeFixed in
wcloversfrontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compa< 3.4.123.4.12

Detection & IOCsextracted from sources · hover to see the quote

other4b0a00483046022100a6442bddd9d93d300e210f7f6e02eb18a1c396acc1d71034c10b484569342af7022100ae4691c6dcf634829faed810cfa25ab9e0342e0e1d3f776e405856f4cd9fae48:922c64590222798bb761d5b6d8e72950
sigma
status_code == 200 AND contains(header, 'application/json') AND contains(body, 'success')
  • The vulnerable AJAX action is 'wcfm_ajax_controller', accessible to both unauthenticated and authenticated users. Monitor POST requests targeting this action (e.g., wp-admin/admin-ajax.php?action=wcfm_ajax_controller) for SQL injection payloads in parameters.
  • Successful exploitation returns HTTP 200 with Content-Type application/json and a body containing 'success'. Alert on this response pattern in conjunction with suspicious input to the wcfm_ajax_controller action.
  • ·The vulnerability affects WCFM Marketplace plugin versions before 3.4.12. The WCFM WooCommerce Multivendor Marketplace version string '=5' appears in the source and may indicate a nuclei/probe template version identifier rather than a plugin version — treat with caution.
  • ·The digest value present in the source is a template/rule signing digest and is not a malware hash; it should not be used as a file-based IOC.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.