CVE-2021-24931

Public Exploit

Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection

Description

The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.

References

Link	Tags
https://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231	third party advisory exploit
http://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.html	third party advisory vdb entry exploit

Frequently Asked Questions

What is the severity of CVE-2021-24931?: CVE-2021-24931 has been scored as a critical severity vulnerability.
How to fix CVE-2021-24931?: To fix CVE-2021-24931, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-24931 being actively exploited in the wild?: It is possible that CVE-2021-24931 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~67% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-24931?: CVE-2021-24931 affects Unknown Secure Copy Content Protection and Content Locking.

Description

Category

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

Frequently Asked Questions