CVE-2021-24849

high-risk
Published 2021-12-21

The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections

Do I need to act?

!
74.6% chance of exploitation in next 30 days
EPSS score — higher than 25% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible

Affected Vendors

Wclovers

References (2)

Exploit https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e
Exploit https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e
56
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal