CVE-2021-24458 – This SQL injection vulnerability in the Popup b... (How to Fix)

Q: What is the severity of CVE-2021-24458?

CVE-2021-24458 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in the Popup box WordPress plugin allows authenticated attackers with admin dashboard access to execute arbitrary SQL commands. It affects WordPress sites running vulnerable plugin versions, potentially compromising the entire database.

📋 TL;DR

This SQL injection vulnerability in the Popup box WordPress plugin allows authenticated attackers with admin dashboard access to execute arbitrary SQL commands. It affects WordPress sites running vulnerable plugin versions, potentially compromising the entire database.

💻 Affected Systems

Products:

Popup box WordPress plugin

Versions: Versions before 2.3.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin dashboard access for exploitation. Affects all WordPress installations with vulnerable plugin versions.

📦 What is this software?

Popup Box by Ays Pro

View all CVEs affecting Popup Box →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data theft, privilege escalation, and potential site takeover via arbitrary code execution.

🟠

Likely Case

Data exfiltration from WordPress database, including user credentials, plugin settings, and potentially sensitive content.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting SQL command execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access. SQL injection via orderby parameter is straightforward for attackers with credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.4

Vendor Advisory: https://wpscan.com/vulnerability/8a588266-54cd-4779-adcf-f9b9e226c297

Restart Required: No

Instructions:

1. Log into WordPress admin dashboard. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Popup box' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.3.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Popup box plugin until patched

wp plugin deactivate popup-box

Web Application Firewall rule

all

Block SQL injection attempts targeting orderby parameter

🧯 If You Can't Patch

Restrict admin dashboard access to trusted IP addresses only
Implement database user with minimal privileges for WordPress application

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Popup box version. If version < 2.3.4, system is vulnerable.

Check Version:

wp plugin get popup-box --field=version

Verify Fix Applied:

Confirm plugin version is 2.3.4 or higher in WordPress admin dashboard.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin dashboard
Unexpected orderby parameter values in web server logs

Network Indicators:

SQL injection payloads in HTTP requests to admin-ajax.php or similar endpoints

SIEM Query:

source="web_server" AND ("orderby" AND ("UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE"))

📊 Metadata

CVE ID: CVE-2021-24458

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 2, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/8a588266-54cd-4779-adcf-f9b9e226c297 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/8a588266-54cd-4779-adcf-f9b9e226c297 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24458, you might also want to check these: