Login Sign Up

CVE-2021-24550

7.2 HIGH
SQL Injection

📋 TL;DR

This vulnerability allows authenticated attackers to perform SQL injection attacks in the Broken Link Manager WordPress plugin. Attackers can manipulate database queries through the unsanitized 'url' GET parameter when editing links. WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:
  • Broken Link Manager WordPress Plugin
Versions: through 0.6.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker authentication; affects all WordPress installations with vulnerable plugin versions.

📦 What is this software?

Broken Link Manager by Broken Link Manager Project

View all CVEs affecting Broken Link Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion; potential privilege escalation to administrator access; possible remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access and extraction from the WordPress database, including user credentials, sensitive content, and configuration data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access; SQL injection techniques are well-documented and easily automated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.6 or later

Vendor Advisory: https://wordpress.org/plugins/broken-link-manager/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Broken Link Manager. 4. Click 'Update Now' if available. 5. Alternatively, delete and reinstall latest version from WordPress repository.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate broken-link-manager

WAF Rule

linux

Implement web application firewall rules to block SQL injection attempts

ModSecurity rule: SecRule ARGS_GET:url "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

  • Restrict plugin access to trusted administrators only
  • Implement network segmentation to isolate WordPress instance

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Broken Link Manager version; if version ≤0.6.5, vulnerable.

Check Version:

wp plugin get broken-link-manager --field=version

Verify Fix Applied:

Confirm plugin version is ≥0.6.6 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed authentication attempts followed by SQL-like patterns in URL parameters
  • wp-content/plugins/broken-link-manager/ requests with SQL syntax in URL parameters

Network Indicators:

  • HTTP GET requests to edit.php?page=broken-link-manager&url= containing SQL keywords (UNION, SELECT, etc.)

SIEM Query:

source="web_logs" AND uri="*broken-link-manager*" AND (uri="*UNION*" OR uri="*SELECT*" OR uri="*INSERT*" OR uri="*DELETE*")

📊 Metadata

CVE ID: CVE-2021-24550
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24550, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)