CVE-2021-24762
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites running the Perfect Survey plugin before version 1.5.2. Attackers can execute arbitrary SQL commands through the question_id parameter in AJAX requests, potentially compromising the entire WordPress database. All WordPress installations with vulnerable plugin versions are affected.
💻 Affected Systems
- WordPress Perfect Survey plugin
📦 What is this software?
Perfect Survey by Getperfectsurvey
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.
Likely Case
Database information disclosure, data manipulation, and potential administrative access to WordPress.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Public exploit code available; exploitation requires minimal technical skill due to unauthenticated nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.2
Vendor Advisory: https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Perfect Survey plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 1.5.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable get_question AJAX action via .htaccess or web application firewall
# Add to .htaccess:
RewriteCond %{QUERY_STRING} action=get_question [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Temporary plugin deactivation
linuxDeactivate Perfect Survey plugin until patched version is available
wp plugin deactivate perfect-survey
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns in question_id parameter
- Restrict access to wp-admin/admin-ajax.php to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Perfect Survey → Version number. If version is below 1.5.2, system is vulnerable.Check Version:
wp plugin list --name=perfect-survey --field=versionVerify Fix Applied:
Confirm plugin version is 1.5.2 or higher in WordPress admin panel. Test AJAX endpoint with malicious payloads to ensure SQL injection is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress logs
- Multiple requests to /wp-admin/admin-ajax.php with action=get_question
- SQL syntax in question_id parameter values
Network Indicators:
- POST/GET requests to /wp-admin/admin-ajax.php with SQL injection payloads in parameters
- Unusual database query patterns from web server
SIEM Query:
source="wordpress.log" AND ("action=get_question" OR "question_id" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "--" OR "' OR '1'='1"))🔗 References
- http://packetstormsecurity.com/files/166072/WordPress-Perfect-Survey-1.5.1-SQL-Injection.html
- https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
- http://packetstormsecurity.com/files/166072/WordPress-Perfect-Survey-1.5.1-SQL-Injection.html
- https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
