CVE-2021-24385 – CVE-2021-24385 is a critical SQL injection vuln... (How to Fix)

📋 TL;DR

CVE-2021-24385 is a critical SQL injection vulnerability in the FileBird WordPress plugin that allows unauthenticated attackers to execute arbitrary SQL queries via a REST API endpoint. This affects WordPress sites running FileBird plugin version 4.7.3, potentially leading to complete database compromise.

💻 Affected Systems

Products:

FileBird WordPress Plugin

Versions: Version 4.7.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with FileBird plugin version 4.7.3 installed and activated.

📦 What is this software?

Filebird by Ninjateam

View all CVEs affecting Filebird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database takeover including sensitive data exfiltration, privilege escalation, arbitrary code execution via database functions, and full site compromise.

🟠

Likely Case

Data theft including user credentials, personal information, and site content; potential for backdoor installation and persistence.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and uses simple HTTP POST requests to vulnerable REST API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.7.4 and later

Vendor Advisory: https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find FileBird plugin
4. Click 'Update Now' if available
5. Alternatively, download version 4.7.4+ from WordPress repository
6. Deactivate and delete old version, then upload new version

🔧 Temporary Workarounds

Disable FileBird Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate filebird

Restrict REST API Access

all

Block anonymous access to WordPress REST API endpoints

Add to wp-config.php: define('REST_API_ENABLED', false);

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict network access to WordPress admin interface and REST API endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → FileBird version. If version is 4.7.3, system is vulnerable.

Check Version:

wp plugin get filebird --field=version

Verify Fix Applied:

Verify FileBird plugin version is 4.7.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-json/filebird/v1/ endpoints
SQL syntax errors in web server logs
Multiple failed SQL queries from single IP

Network Indicators:

HTTP POST requests containing SQL keywords (SELECT, UNION, INSERT) to REST API endpoints
Unusual database connection patterns

SIEM Query:

source="web_server.log" AND ("wp-json/filebird" OR "filebird/v1") AND (SELECT OR UNION OR INSERT OR DELETE)

📊 Metadata

CVE ID: CVE-2021-24385

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 12, 2021

Last Updated: November 21, 2024

🔗 References

https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin/ Third Party Advisory
https://wpscan.com/vulnerability/754ac750-0262-4f65-b23e-d5523995fbfa Exploit,Third Party Advisory
https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin/ Third Party Advisory
https://wpscan.com/vulnerability/754ac750-0262-4f65-b23e-d5523995fbfa Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24385, you might also want to check these: