CVE-2021-24456 – This SQL injection vulnerability in the Quiz Ma... (How to Fix)

Q: What is the severity of CVE-2021-24456?

CVE-2021-24456 has a CVSS score of 7.2 (HIGH). This SQL injection vulnerability in the Quiz Maker WordPress plugin allows authenticated attackers with admin dashboard access to execute arbitrary SQL commands on the database. It affects WordPress sites running vulnerable versions of the plugin, potentially compromising site data and integrity.

📋 TL;DR

This SQL injection vulnerability in the Quiz Maker WordPress plugin allows authenticated attackers with admin dashboard access to execute arbitrary SQL commands on the database. It affects WordPress sites running vulnerable versions of the plugin, potentially compromising site data and integrity.

💻 Affected Systems

Products:

Quiz Maker WordPress Plugin

Versions: All versions before 6.2.0.9

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin dashboard access for exploitation. Affects all WordPress installations with vulnerable plugin versions.

📦 What is this software?

Quiz Maker by Ays Pro

View all CVEs affecting Quiz Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, or full site takeover.

🟠

Likely Case

Unauthorized data access, modification of quiz results or user data, and potential privilege escalation within WordPress.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access. SQL injection via order and orderby parameters is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.0.9 and later

Vendor Advisory: https://wpscan.com/vulnerability/929ad37d-9cdb-4117-8cd3-cf7130a7c9d4

Restart Required: No

Instructions:

1. Log into WordPress admin dashboard. 2. Navigate to Plugins → Installed Plugins. 3. Find Quiz Maker plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 6.2.0.9+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Quiz Maker Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate quiz-maker

Restrict Admin Access

all

Limit admin dashboard access to trusted users only

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin dashboard → Plugins → Quiz Maker version number

Check Version:

wp plugin list --name=quiz-maker --field=version

Verify Fix Applied:

Verify plugin version is 6.2.0.9 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin dashboard
Suspicious order/orderby parameter values in web server logs

Network Indicators:

SQL error messages in HTTP responses
Unusual database connection patterns from web server

SIEM Query:

source="web_server" AND ("order=" OR "orderby=") AND ("SELECT" OR "UNION" OR "INSERT" OR "UPDATE" OR "DELETE")

📊 Metadata

CVE ID: CVE-2021-24456

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 2, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/929ad37d-9cdb-4117-8cd3-cf7130a7c9d4 Third Party Advisory
https://wpscan.com/vulnerability/929ad37d-9cdb-4117-8cd3-cf7130a7c9d4 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24456, you might also want to check these: