Login Sign Up

CVE-2021-24551

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the Edit Comments WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects WordPress sites running Edit Comments plugin version 0.3 or earlier. Attackers can exploit this without authentication via the jal_edit_comments GET parameter.

💻 Affected Systems

Products:
  • WordPress Edit Comments plugin
Versions: All versions through 0.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Edit Comments by Edit Comments Project

View all CVEs affecting Edit Comments →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Database information disclosure, data manipulation, and potential administrative access to WordPress.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and web application firewall rules in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple SQL injection via GET parameter with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://wpscan.com/vulnerability/e62fb8db-384f-4384-ad24-e10eb9058ed5

Restart Required: No

Instructions:

1. Remove Edit Comments plugin completely. 2. No official patch exists - plugin appears abandoned. 3. Consider alternative comment management plugins.

🔧 Temporary Workarounds

Disable or Remove Plugin

all

Completely remove the vulnerable Edit Comments plugin from WordPress

wp plugin deactivate edit-comments
wp plugin delete edit-comments

Web Application Firewall Rule

all

Block requests containing suspicious SQL injection patterns targeting jal_edit_comments parameter

🧯 If You Can't Patch

  • Implement strict input validation for all GET parameters
  • Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Edit Comments plugin version. If version is 0.3 or earlier, you are vulnerable.

Check Version:

wp plugin get edit-comments --field=version

Verify Fix Applied:

Verify plugin is completely removed from wp-content/plugins directory and no longer appears in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in WordPress logs
  • Requests containing 'jal_edit_comments' parameter with SQL syntax

Network Indicators:

  • HTTP GET requests with SQL injection payloads in jal_edit_comments parameter

SIEM Query:

http.uri contains "jal_edit_comments" AND (http.uri contains "UNION" OR http.uri contains "SELECT" OR http.uri contains "INSERT" OR http.uri contains "DELETE")

📊 Metadata

CVE ID: CVE-2021-24551
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24551, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)