Login Sign Up

CVE-2021-24130

7.2 HIGH
SQL Injection

📋 TL;DR

This vulnerability allows authenticated administrators in WordPress to perform SQL injection attacks through the WP Google Map Plugin's Manage Locations page. Attackers with admin privileges can execute arbitrary SQL commands, potentially compromising the database. Only WordPress sites using vulnerable versions of the WP Google Map Plugin are affected.

💻 Affected Systems

Products:
  • WP Google Map Plugin for WordPress
Versions: All versions before 4.1.5
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress administrator privileges to exploit. The vulnerability exists in the plugin's Manage Locations page within plugin settings.

📦 What is this software?

Wp Maps by Weplugins

View all CVEs affecting Wp Maps →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation to full system access, or complete site takeover.

🟠

Likely Case

Data exfiltration from the WordPress database, including sensitive user information, plugin settings, or site configuration data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin-level access. SQL injection techniques are well-documented and tools like sqlmap can automate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.5

Vendor Advisory: https://wpscan.com/vulnerability/46af9a4d-67ac-4e08-a753-a2a44245f4f8

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Google Map Plugin'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.1.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Temporarily disable or remove the WP Google Map Plugin until patched

wp plugin deactivate wp-google-map-plugin
wp plugin delete wp-google-map-plugin

Restrict admin access

all

Limit administrator accounts to only trusted personnel and implement strong authentication

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with SQL injection rules
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Google Map Plugin version

Check Version:

wp plugin get wp-google-map-plugin --field=version

Verify Fix Applied:

Verify plugin version is 4.1.5 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by admin access
  • Unexpected database schema changes

Network Indicators:

  • Unusual database connection patterns from web server
  • Large data exfiltration from database

SIEM Query:

source="wordpress.log" AND "wp-google-map-plugin" AND ("sql" OR "database" OR "injection")

📊 Metadata

CVE ID: CVE-2021-24130
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 18, 2021
Last Updated: May 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24130, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)