cbcvebase.
CVE-2021-24931
published 2021-12-06

CVE-2021-24931: The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.81%
99.5th percentile
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
ays-prosecure_copy_content_protection_and_content_locking< 2.8.22.8.2

Detection & IOCsextracted from sources · hover to see the quote

urlwp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json
pathwp-admin/admin-ajax.php
  • Monitor HTTP requests to wp-admin/admin-ajax.php with the action parameter set to 'ays_sccp_results_export_file' and the 'sccp_id[]' parameter containing SQL injection payloads (e.g., parentheses, asterisks, or other SQLi metacharacters). This endpoint is exploitable by unauthenticated users.
  • Alert on HTTP responses to the ays_sccp_results_export_file action returning HTTP 200 with Content-Type 'text/html' and a body containing '{"status":true', which indicates successful exploitation.
  • The exploit targets the 'sccp_id[]' array parameter with a SQL injection payload (e.g., '3)*') to break out of a SQL function call. Detect array-style parameter abuse combined with SQL metacharacters in this specific parameter.
  • Successful exploitation allows dumping of wp_users table including usernames and password hashes. Correlate SQLi alerts on this endpoint with subsequent authentication attempts using cracked credentials.
  • ·The vulnerability affects Secure Copy Content Protection and Content Locking plugin versions prior to 2.8.2 only. Ensure version fingerprinting is part of detection logic to reduce false positives on patched installations.
  • ·The AJAX action is accessible to both unauthenticated and authenticated users, meaning authentication-based WAF bypass rules will not prevent exploitation — detection must cover unauthenticated requests.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.