CVE-2021-24361
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the Location Manager plugin before version 2.1.0.10. Attackers can potentially read, modify, or delete database content, including sensitive user data. All WordPress installations with the vulnerable plugin version are affected.
💻 Affected Systems
- WordPress Location Manager Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, modification, or deletion; potential privilege escalation to administrator access; possible remote code execution through database functions.
Likely Case
Data exfiltration of sensitive information (user credentials, personal data), database manipulation, and potential site defacement.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
SQL injection via POST parameters to gd_popular_location_list AJAX endpoint. Exploitation requires minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0.10
Vendor Advisory: https://wpgeodirectory.com/downloads/location-manager/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Location Manager' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.1.0.10+ from vendor site and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the gd_popular_location_list AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_gd_popular_location_list', 'gd_popular_location_list'); remove_action('wp_ajax_nopriv_gd_popular_location_list', 'gd_popular_location_list');
Web Application Firewall rule
allBlock SQL injection patterns targeting the vulnerable endpoint
WAF specific - create rule to block requests containing SQL keywords to /wp-admin/admin-ajax.php with action=gd_popular_location_list
🧯 If You Can't Patch
- Disable the Location Manager plugin completely until patched
- Implement strict network access controls to limit who can reach the WordPress admin-ajax.php endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Location Manager version. If version < 2.1.0.10, vulnerable.Check Version:
wp plugin list --name='location-manager' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 2.1.0.10 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=gd_popular_location_list containing SQL keywords
- Unusual database queries from WordPress application user
- Error logs showing SQL syntax errors
Network Indicators:
- POST requests with SQL injection payloads in parameters
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "gd_popular_location_list" AND (post_data CONTAINS "UNION" OR post_data CONTAINS "SELECT" OR post_data CONTAINS "INSERT" OR post_data CONTAINS "DELETE")