CVE-2021-24460 – This SQL injection vulnerability in the Popup L... (How to Fix)

Q: What is the severity of CVE-2021-24460?

CVE-2021-24460 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in the Popup Like box WordPress plugin allows attackers to execute arbitrary SQL commands through the admin dashboard. It affects WordPress sites running vulnerable versions of this plugin, potentially compromising site data and server integrity.

📋 TL;DR

This SQL injection vulnerability in the Popup Like box WordPress plugin allows attackers to execute arbitrary SQL commands through the admin dashboard. It affects WordPress sites running vulnerable versions of this plugin, potentially compromising site data and server integrity.

💻 Affected Systems

Products:

Popup Like box – Page Plugin for WordPress

Versions: All versions before 3.5.3

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin dashboard access for exploitation, but any admin user can trigger the vulnerability.

📦 What is this software?

Popup Box by Ays Pro

View all CVEs affecting Popup Box →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the server.

🟠

Likely Case

Unauthorized data access, modification of database content, and potential site defacement.

🟢

If Mitigated

Limited impact with proper input validation and database user privilege restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access but uses simple SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.3

Vendor Advisory: https://wpscan.com/vulnerability/9c0164f2-464b-4876-a48f-c0ebd63cf397

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Popup Like box – Page Plugin'. 4. Click 'Update Now' if available, or manually update to version 3.5.3 or later.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the plugin until patched

wp plugin deactivate popup-like-box

Apply input validation filter

all

Add custom validation for orderby parameter in theme functions

Add custom filter in functions.php to sanitize orderby parameter

🧯 If You Can't Patch

Restrict admin dashboard access to trusted users only
Implement web application firewall with SQL injection rules

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin → Plugins → Installed Plugins

Check Version:

wp plugin get popup-like-box --field=version

Verify Fix Applied:

Confirm plugin version is 3.5.3 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin panel
Suspicious orderby parameter values in web server logs

Network Indicators:

SQL error messages in HTTP responses
Unusual database connection patterns

SIEM Query:

SELECT * FROM web_logs WHERE url LIKE '%orderby=%' AND (url LIKE '%SELECT%' OR url LIKE '%UNION%' OR url LIKE '%INSERT%')

📊 Metadata

CVE ID: CVE-2021-24460

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 2, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/9c0164f2-464b-4876-a48f-c0ebd63cf397 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/9c0164f2-464b-4876-a48f-c0ebd63cf397 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24460, you might also want to check these: