CVE-2021-24507
📋 TL;DR
This vulnerability allows attackers to execute arbitrary SQL commands on WordPress sites using the Astra Pro Addon plugin. Both unauthenticated and authenticated users can exploit this SQL injection flaw, potentially compromising the entire database. All WordPress sites with vulnerable versions of Astra Pro Addon are affected.
💻 Affected Systems
- Astra Pro Addon for WordPress
📦 What is this software?
Astra by Brainstormforce
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, privilege escalation, site takeover, and potential remote code execution through database functions.
Likely Case
Data exfiltration including user credentials, sensitive content, and plugin/theme configuration data leading to further attacks.
If Mitigated
Limited impact with proper input validation, database user restrictions, and web application firewall rules in place.
🎯 Exploit Status
SQL injection via POST parameters to publicly accessible AJAX endpoints. Exploitation requires minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.2
Vendor Advisory: https://wpastra.com/changelog/astra-pro-addon/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Astra Pro Addon. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.5.2+ from wpastra.com and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allRemove or restrict access to the astra_pagination_infinite and astra_shop_pagination_infinite AJAX actions
Add to theme's functions.php: remove_action('wp_ajax_astra_pagination_infinite', 'astra_pagination_infinite');
Add to theme's functions.php: remove_action('wp_ajax_nopriv_astra_pagination_infinite', 'astra_pagination_infinite');
Add to theme's functions.php: remove_action('wp_ajax_astra_shop_pagination_infinite', 'astra_shop_pagination_infinite');
Add to theme's functions.php: remove_action('wp_ajax_nopriv_astra_shop_pagination_infinite', 'astra_shop_pagination_infinite');
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the vulnerable endpoints
- Restrict database user permissions to prevent data modification and limit potential damage
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Astra Pro Addon → Version. If version is below 3.5.2, the site is vulnerable.Check Version:
wp plugin list --name='Astra Pro Addon' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm Astra Pro Addon version is 3.5.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=astra_pagination_infinite or action=astra_shop_pagination_infinite containing SQL keywords
- Unusual database queries from WordPress application user
- Multiple failed SQL syntax attempts
Network Indicators:
- POST requests with SQL injection payloads in parameters
- Unusual traffic patterns to admin-ajax.php endpoint
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (action="astra_pagination_infinite" OR action="astra_shop_pagination_infinite") AND (payload CONTAINS "UNION" OR payload CONTAINS "SELECT" OR payload CONTAINS "INSERT" OR payload CONTAINS "DELETE")