CVE-2021-43408
moderate-risk
Published 2021-11-19
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.
Do I need to act?
!
31.3% chance of exploitation in next 30 days
EPSS score — higher than 69% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (4)
Third Party Advisory
https://plugins.trac.wordpress.org/browser/copy-delete-posts/tags/1.2.0/post/han...
Third Party Advisory
https://plugins.trac.wordpress.org/browser/copy-delete-posts/tags/1.2.0/post/han...
45
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
16/34 · Moderate
Exposure
5/34 · Minimal