Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24931

CWE-89 — SQL Injection6 documents6 sources

Severity

9.8CRITICAL

EPSS

72.2%

top 1.25%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Unknown Secure Copy Content Protection AND Content Locking Ays-pro Secure Copy Content Protection AND Content Locking

Timeline

PublishedDec 6

Latest updateFeb 11

Description

The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/secure_copy_content_protection_and_content_locking2.8.2 — 2.8.2

▶NVDays-pro/secure_copy_content_protection_and_content_locking< 2.8.2

🔴Vulnerability Details

GHSA

GHSA-pqpx-fr5w-2v75: The Secure Copy Content Protection and Content Locking WordPress plugin before 2↗2022-02-11

▶

CVEList

Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection↗2021-12-06

▶

VulnCheck

ays-pro secure_copy_content_protection_and_content_locking Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2021

▶

💥Exploits & PoCs

Exploit-DB

WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)↗2022-02-10

▶

Nuclei

WordPress Secure Copy Content Protection and Content Locking <2.8.2 - SQL Injection

▶