cbcvebase.
CVE-2021-25076
published 2022-01-24

CVE-2021-25076: The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers…

PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.12%
96.7th percentile
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

Affected

1 ranges
VendorProductVersion rangeFixed in
wedevswp_user_frontend< 3.5.263.5.26

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://downloads.wordpress.org/plugin/wp-user-frontend.3.5.25.zip
commandsqlmap -u "http://<IP>:<PORT><PATH>wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=1" --level 2 --risk 2 --cookie="<cookie>" -p status -v 0 --answers="follow=Y" --batch
  • Monitor HTTP requests to /wp-admin/admin.php with query parameters page=wpuf_subscribers and a suspicious or SQL-crafted 'status' parameter value — this is the exact injection point for CVE-2021-25076.
  • The exploit authenticates first via wp-login.php and then reuses the session cookie for the SQLi request — correlate a wp-login.php POST immediately followed by a wpuf_subscribers request with anomalous status values.
  • The vulnerability also enables Reflected XSS via the same unsanitised 'status' parameter — inspect responses for reflected script payloads in the Subscribers dashboard endpoint.
  • ·Exploitation requires authentication — the attacker must possess valid WordPress credentials before the SQLi payload can be delivered to the wpuf_subscribers endpoint.
  • ·Only plugin versions before 3.5.26 are vulnerable; verify the installed version of wp-user-frontend before triaging alerts.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.