CVE-2021-24627

moderate-risk
Published 2021-11-08

The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection

Do I need to act?

!
25.4% chance of exploitation in next 30 days
EPSS score — higher than 75% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

G Auto-Hyperlink Project

References (4)

Exploit https://codevigilant.com/disclosure/2021/wp-plugin-g-auto-hyperlink/
Exploit https://wpscan.com/vulnerability/c04ea768-150f-41b8-b08c-78d1ae006bbb
Exploit https://codevigilant.com/disclosure/2021/wp-plugin-g-auto-hyperlink/
Exploit https://wpscan.com/vulnerability/c04ea768-150f-41b8-b08c-78d1ae006bbb
46
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 15/34 · Moderate
Exposure 5/34 · Minimal