CVE-2021-24151 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2021-24151?

CVE-2021-24151 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated WordPress administrators to perform blind SQL injection attacks through unsanitized plugin settings fields. Attackers with admin access can extract database information, potentially compromising the entire WordPress installation and underlying server.

📋 TL;DR

This vulnerability allows authenticated WordPress administrators to perform blind SQL injection attacks through unsanitized plugin settings fields. Attackers with admin access can extract database information, potentially compromising the entire WordPress installation and underlying server.

💻 Affected Systems

Products:

WP Editor WordPress Plugin

Versions: All versions before 1.2.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator privileges to exploit.

📦 What is this software?

Wp Editor by Benjaminrojas

View all CVEs affecting Wp Editor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to data theft, privilege escalation, and potential remote code execution on the server.

🟠

Likely Case

Database information disclosure, including user credentials, sensitive content, and configuration data.

🟢

If Mitigated

Limited impact with proper access controls and database segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.7

Vendor Advisory: https://wpscan.com/vulnerability/5ee77dd7-5a73-4d4e-8038-23e6e763e20c/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WP Editor plugin. 4. Update to version 1.2.7 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable WP Editor Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate wp-editor

🧯 If You Can't Patch

Restrict admin access to trusted users only.
Implement web application firewall with SQL injection rules.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Editor version number.

Check Version:

wp plugin list --name=wp-editor --field=version

Verify Fix Applied:

Confirm WP Editor plugin version is 1.2.7 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple POST requests to /wp-admin/admin.php with plugin settings parameters

Network Indicators:

POST requests containing SQL injection patterns to plugin endpoints

SIEM Query:

source="web_logs" AND (uri="/wp-admin/admin.php" AND params CONTAINS "wp_editor") AND (params CONTAINS "SELECT" OR params CONTAINS "UNION" OR params CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2021-24151

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 16, 2024

Last Updated: June 20, 2025

🔗 References

https://wpscan.com/vulnerability/5ee77dd7-5a73-4d4e-8038-23e6e763e20c/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/5ee77dd7-5a73-4d4e-8038-23e6e763e20c/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24151, you might also want to check these: