CVE-2021-24483 – This SQL injection vulnerability in the Poll Ma... (How to Fix)

Q: What is the severity of CVE-2021-24483?

CVE-2021-24483 has a CVSS score of 7.2 (HIGH). This SQL injection vulnerability in the Poll Maker WordPress plugin allows authenticated attackers with admin dashboard access to execute arbitrary SQL commands. It affects WordPress sites running vulnerable plugin versions, potentially compromising database integrity and confidentiality.

📋 TL;DR

This SQL injection vulnerability in the Poll Maker WordPress plugin allows authenticated attackers with admin dashboard access to execute arbitrary SQL commands. It affects WordPress sites running vulnerable plugin versions, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:

Poll Maker WordPress Plugin

Versions: All versions before 3.2.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin dashboard access; affects WordPress installations with vulnerable plugin versions.

📦 What is this software?

Poll Maker by Ays Pro

View all CVEs affecting Poll Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion; potential privilege escalation to full site control.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information from database tables, potential for data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access; SQL injection via orderby parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.1

Vendor Advisory: https://wpscan.com/vulnerability/0dc931c6-1fce-4d70-a658-a4bbab10dab3

Restart Required: No

Instructions:

1. Log into WordPress admin dashboard. 2. Navigate to Plugins → Installed Plugins. 3. Find Poll Maker plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.2.1+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation for orderby parameter in affected functions

Modify plugin files to sanitize orderby parameter before SQL queries

Temporary Disable

linux

Disable vulnerable plugin until patched

wp plugin deactivate poll-maker

🧯 If You Can't Patch

Restrict admin dashboard access to trusted users only
Implement web application firewall with SQL injection rules

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin → Plugins → Poll Maker

Check Version:

wp plugin get poll-maker --field=version

Verify Fix Applied:

Confirm plugin version is 3.2.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin dashboard

Network Indicators:

Suspicious POST requests to admin-ajax.php with SQL-like parameters

SIEM Query:

source="wordpress.log" AND "orderby" AND ("UNION" OR "SELECT" OR "FROM")

📊 Metadata

CVE ID: CVE-2021-24483

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 2, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/0dc931c6-1fce-4d70-a658-a4bbab10dab3 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/0dc931c6-1fce-4d70-a658-a4bbab10dab3 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24483, you might also want to check these: