CVE-2021-24931
published 2021-12-06CVE-2021-24931: The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.81%
99.5th percentile
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ays-pro | secure_copy_content_protection_and_content_locking | < 2.8.2 | 2.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to wp-admin/admin-ajax.php with the action parameter set to 'ays_sccp_results_export_file' and the 'sccp_id[]' parameter containing SQL injection payloads (e.g., parentheses, asterisks, or other SQLi metacharacters). This endpoint is exploitable by unauthenticated users. ↗
- →Alert on HTTP responses to the ays_sccp_results_export_file action returning HTTP 200 with Content-Type 'text/html' and a body containing '{"status":true', which indicates successful exploitation.
- →The exploit targets the 'sccp_id[]' array parameter with a SQL injection payload (e.g., '3)*') to break out of a SQL function call. Detect array-style parameter abuse combined with SQL metacharacters in this specific parameter. ↗
- →Successful exploitation allows dumping of wp_users table including usernames and password hashes. Correlate SQLi alerts on this endpoint with subsequent authentication attempts using cracked credentials. ↗
- ·The vulnerability affects Secure Copy Content Protection and Content Locking plugin versions prior to 2.8.2 only. Ensure version fingerprinting is part of detection logic to reduce false positives on patched installations. ↗
- ·The AJAX action is accessible to both unauthenticated and authenticated users, meaning authentication-based WAF bypass rules will not prevent exploitation — detection must cover unauthenticated requests. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pqpx-fr5w-2v75: The Secure Copy Content Protection and Content Locking WordPress plugin before 2
ghsa_unreviewed·2022-02-11
CVE-2021-24931 [CRITICAL] CWE-89 GHSA-pqpx-fr5w-2v75: The Secure Copy Content Protection and Content Locking WordPress plugin before 2
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.
VulnCheck
ays-pro secure_copy_content_protection_and_content_locking Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-24931 [CRITICAL] ays-pro secure_copy_content_protection_and_content_locking Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ays-pro secure_copy_content_protection_and_content_locking Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.
Affected: ays-pro secure_copy_content_protection_and_content_locking
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vul
No detection rules found.
Exploit-DB
WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
exploitdb·2022-02-10·CVSS 9.8
CVE-2021-24931 [CRITICAL] WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
---
# Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
# Date 08.02.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://ays-pro.com/
# Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip
# Version: < 2.8.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24931
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md
'''
Description:
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the
sccp_id parameter of the ays_sccp_results_export_file AJA
Nuclei
WordPress Secure Copy Content Protection and Content Locking <2.8.2 - SQL Injection
nuclei·CVSS 9.8
CVE-2021-24931 [CRITICAL] WordPress Secure Copy Content Protection and Content Locking <2.8.2 - SQL Injection
WordPress Secure Copy Content Protection and Content Locking =6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "{\"status\":true")'
condition: and
# digest: 490a0046304402207a84be8c6a53520718fea4b83ae55dac564135d3f7e685b0a1c849943a0fb0f5022044e33166823b8a4ce9af47ffad028bebf12ea34b593e44199f59cff1b7a060d6:922c64590222798bb761d5b6d8e72950
Metasploit
Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi
metasploit
Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi
Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi
Secure Copy Content Protection and Content Locking, a WordPress plugin, prior to 2.8.2 is affected by an unauthenticated SQL injection via the `sccp_id[]` parameter. Remote attackers can exploit this vulnerability to dump usernames and password hashes from the`wp_users` table of the affected WordPress installation. These password hashes can then be cracked offline using tools such as Hashcat to obtain valid login credentials for the affected WordPress installation.
http://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.htmlhttps://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231http://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.htmlhttps://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231
2021-12-06
Published
Exploited in the wild