CVE-2021-24949
published 2022-01-10CVE-2021-24949: The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.70%
74.4th percentile
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| posimyth | the_plus_addons_for_elementor | < 5.0.7 | 5.0.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)
suricata·2021-07-27·CVSS 8.8
CVE-2020-24949 [HIGH] ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)
ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/"; content:"downloads.php?cat_id=|24 7b|system"; fast_pattern; reference:url,github.com/r90tpass/CVE-2020-24949/blob/main/exp.py; reference:cve,2020-24949; classtype:attempted-admin; sid:2033462; rev:1; metadata:created_at 2021_07_27, cve CVE_2020_24949, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitati
No writeups or analysis indexed.
2022-01-10
Published