CVE-2021-24835

Public Exploit

WCFM - Frontend Manager for WooCommerce < 6.5.12 - Customer/Subscriber+ SQL Injection

Description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks

References

Link	Tags
https://wpscan.com/vulnerability/c493ac9c-67d1-48a9-be21-824b1a1d56c2	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-24835?: CVE-2021-24835 has been scored as a high severity vulnerability.
How to fix CVE-2021-24835?: To fix CVE-2021-24835, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-24835 being actively exploited in the wild?: It is possible that CVE-2021-24835 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-24835?: CVE-2021-24835 affects Unknown WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible.

Description

Category

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

Frequently Asked Questions