CVE-2021-24132 – This SQL injection vulnerability in the Slider ... (How to Fix)

Q: What is the severity of CVE-2021-24132?

CVE-2021-24132 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in the Slider by 10Web WordPress plugin allows authenticated users with Contributor+ permissions to execute arbitrary SQL commands when the 'Role Options' feature is enabled. Attackers could read, modify, or delete database content, potentially compromising the entire WordPress site. The vulnerability affects versions before 1.2.36.

📋 TL;DR

This SQL injection vulnerability in the Slider by 10Web WordPress plugin allows authenticated users with Contributor+ permissions to execute arbitrary SQL commands when the 'Role Options' feature is enabled. Attackers could read, modify, or delete database content, potentially compromising the entire WordPress site. The vulnerability affects versions before 1.2.36.

💻 Affected Systems

Products:

Slider by 10Web WordPress plugin

Versions: All versions before 1.2.36

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ✅ No

Notes: Requires 'Role Options' feature enabled for non-admin users to be exploitable by Contributors+

📦 What is this software?

Slider by 10web

View all CVEs affecting Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, site defacement, privilege escalation to administrator, or full site takeover.

🟠

Likely Case

Data exfiltration from WordPress database including user credentials, sensitive content, or plugin data.

🟢

If Mitigated

Limited impact if proper access controls restrict plugin functionality to trusted administrators only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with at least Contributor permissions and the 'Role Options' feature enabled

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.36

Vendor Advisory: https://wordpress.org/plugins/slider-wd/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Slider by 10Web' and click 'Update Now'. 4. Verify version is 1.2.36 or later.

🔧 Temporary Workarounds

Disable Role Options

all

Prevent non-admin users from accessing vulnerable plugin functionality

Remove Plugin

linux

Temporarily disable or remove the plugin until patched

wp plugin deactivate slider-wd
wp plugin delete slider-wd

🧯 If You Can't Patch

Restrict plugin access to trusted administrators only
Implement web application firewall with SQL injection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Slider by 10Web → Version. If version < 1.2.36, vulnerable.

Check Version:

wp plugin get slider-wd --field=version

Verify Fix Applied:

Confirm plugin version is 1.2.36 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in WordPress debug logs
Multiple failed authentication attempts followed by plugin access

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with SQL-like parameters
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND ("slider-wd" OR "admin-ajax.php") AND ("SELECT", "UNION", "INSERT", "DELETE")

📊 Metadata

CVE ID: CVE-2021-24132

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 18, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/c1f45000-6c16-4606-be80-1938a755af2c Exploit,Third Party Advisory
https://wpscan.com/vulnerability/c1f45000-6c16-4606-be80-1938a755af2c Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24132, you might also want to check these: