CVE-2021-24404

🗓️ 20 Sep 2021 10:06:11Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 35 Views🌐 WEB

The WP-Board WordPress plugin through 1.1 beta is prone to time-based SQL injection via the options.php file, allowing for query time delay. CVE-2021-2440

Reporter	Title	Published	Views	Family All 10
CNNVD	WordPress SQL注入漏洞	20 Sep 202100:00	–	cnnvd
Cvelist	CVE-2021-24404 WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection	20 Sep 202110:06	–	cvelist
EUVD	EUVD-2021-11316	7 Oct 202500:30	–	euvd
NVD	CVE-2021-24404	20 Sep 202110:15	–	nvd
OSV	CVE-2021-24404	20 Sep 202110:15	–	osv
Patchstack	WordPress WP-Board plugin <= 1.1 - Unauthenticated SQL Injection (SQLi) vulnerability	22 Aug 202100:00	–	patchstack
Prion	Sql injection	20 Sep 202110:15	–	prion
RedhatCVE	CVE-2021-24404	22 May 202521:04	–	redhatcve
wpexploit	WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection	22 Aug 202100:00	–	wpexploit
WPVulnDB	WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection	22 Aug 202100:00	–	wpvulndb

NVD

Vulners

Node

wp-board_project wp-boardRange≤1.1wordpress

[
  {
    "product": "WP-Board",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "1.1 beta",
        "status": "affected",
        "version": "1.1 beta",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
codevigilant	www.codevigilant.com/disclosure/2021/wp-plugin-wp-board/
wpscan	www.wpscan.com/vulnerability/a86240e1-f064-4972-9f97-6b349fdd57f6

Parameter	Position	Path	Description	CWE
postID	query param	/wp-content/plugins/wp-board/php/actions.php?action=modp&postID=0%20AND%20(SELECT%201067%20FROM%20(SELECT(SLEEP(5)))PVan)	Time-based SQL injection vulnerability via unsanitized postID parameter in actions.php (CWE-89). The provided POC shows a sleep() to demonstrate delay.	CWE-89

21 Nov 2024 05:53Current

9High risk

Vulners AI Score9

CVSS 26.5

CVSS 3.18.8

EPSS0.00582

CWE-89