Login Sign Up

CVE-2021-24336

7.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the FlightLog WordPress plugin allows authenticated users with editor or administrator privileges to execute arbitrary SQL commands. Attackers could read, modify, or delete database content, potentially compromising the entire WordPress installation. Only WordPress sites running the vulnerable FlightLog plugin are affected.

💻 Affected Systems

Products:
  • FlightLog WordPress Plugin
Versions: through 3.0.2
Operating Systems: All platforms running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with FlightLog plugin enabled. Exploitation requires editor or administrator user credentials.

📦 What is this software?

Flightlog by Zavedil

View all CVEs affecting Flightlog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, site defacement, or full system takeover if database user has elevated privileges.

🟠

Likely Case

Unauthorized data access, modification of plugin data, or extraction of sensitive information like user credentials from the WordPress database.

🟢

If Mitigated

Limited impact due to proper access controls, but still potential for data manipulation within the plugin's scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection is well-understood with many available tools. Requires authenticated access as editor or administrator.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.3 or later

Vendor Advisory: https://wpscan.com/vulnerability/dda0593e-cd97-454e-a8c8-15d7f690311c

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find FlightLog plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.

🔧 Temporary Workarounds

Disable FlightLog Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate flightlog

Restrict User Privileges

all

Limit editor and administrator accounts to trusted users only

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with SQL injection rules
  • Remove editor and administrator access from untrusted users

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for FlightLog version 3.0.2 or earlier

Check Version:

wp plugin get flightlog --field=version

Verify Fix Applied:

Confirm FlightLog plugin version is 3.0.3 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts for admin accounts
  • Unexpected plugin file modifications

Network Indicators:

  • SQL injection patterns in HTTP POST requests to /wp-admin/ or /wp-content/plugins/flightlog/

SIEM Query:

source="web_logs" AND (uri_path="/wp-admin/*" OR uri_path="/wp-content/plugins/flightlog/*") AND (http_method="POST") AND (message="*sql*" OR message="*union*" OR message="*select*" OR message="*insert*")

📊 Metadata

CVE ID: CVE-2021-24336
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24336, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)