CVE-2021-25076
published 2022-01-24CVE-2021-25076: The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.12%
96.7th percentile
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wedevs | wp_user_frontend | < 3.5.26 | 3.5.26 |
Detection & IOCsextracted from sources · hover to see the quote
commandsqlmap -u "http://<IP>:<PORT><PATH>wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=1" --level 2 --risk 2 --cookie="<cookie>" -p status -v 0 --answers="follow=Y" --batch↗
- →Monitor HTTP requests to /wp-admin/admin.php with query parameters page=wpuf_subscribers and a suspicious or SQL-crafted 'status' parameter value — this is the exact injection point for CVE-2021-25076. ↗
- →The exploit authenticates first via wp-login.php and then reuses the session cookie for the SQLi request — correlate a wp-login.php POST immediately followed by a wpuf_subscribers request with anomalous status values. ↗
- →The vulnerability also enables Reflected XSS via the same unsanitised 'status' parameter — inspect responses for reflected script payloads in the Subscribers dashboard endpoint. ↗
- ·Exploitation requires authentication — the attacker must possess valid WordPress credentials before the SQLi payload can be delivered to the wpuf_subscribers endpoint. ↗
- ·Only plugin versions before 3.5.26 are vulnerable; verify the installed version of wp-user-frontend before triaging alerts. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gx4g-7h78-x658: The WP User Frontend WordPress plugin before 3
ghsa_unreviewed·2022-01-25
CVE-2021-25076 [CRITICAL] CWE-89 GHSA-gx4g-7h78-x658: The WP User Frontend WordPress plugin before 3
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
VulnCheck
wedevs wp_user_frontend Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 8.8
CVE-2021-25076 [HIGH] wedevs wp_user_frontend Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
wedevs wp_user_frontend Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
Affected: wedevs wp_user_frontend
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/wp-user-frontend/wordpress-wp-user-frontend-plugin-3-5-25-sql-injection-sqli-to-reflected-cross-site-scripting-xss
Exploit PoC:
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQL-Injection.htmlhttps://plugins.trac.wordpress.org/changeset/2648715https://wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6http://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQL-Injection.htmlhttps://plugins.trac.wordpress.org/changeset/2648715https://wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6
2022-01-24
Published
Exploited in the wild