CVE-2021-24849
📋 TL;DR
CVE-2021-24849 is a critical SQL injection vulnerability in the WCFM Marketplace WordPress plugin that allows attackers to execute arbitrary SQL commands. Both unauthenticated and authenticated users can exploit this through the wcfm_ajax_controller AJAX action. This affects all WordPress sites running vulnerable versions of the plugin.
💻 Affected Systems
- WCFM Marketplace WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, remote code execution via database functions, and full site takeover.
Likely Case
Database information disclosure, user data extraction, and potential administrative access to the WordPress site.
If Mitigated
Limited impact with proper input validation, parameterized queries, and web application firewall rules blocking SQL injection patterns.
🎯 Exploit Status
SQL injection is well-understood with many automated tools available. The vulnerability requires no authentication, making exploitation trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.12 and later
Vendor Advisory: https://wordpress.org/plugins/wc-multivendor-marketplace/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WCFM Marketplace plugin. 4. Click 'Update Now' if update available. 5. If manual update needed, download version 3.4.12+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allTemporarily disable the wcfm_ajax_controller endpoint until patching is possible
Add to theme's functions.php or custom plugin: add_filter('wcfm_is_allow_ajax_controller', '__return_false');
Web Application Firewall rule
allBlock SQL injection patterns targeting the vulnerable endpoint
WAF rule to block: POST requests containing 'wcfm_ajax_controller' with SQL injection patterns in parameters
🧯 If You Can't Patch
- Disable the WCFM Marketplace plugin entirely until patching is possible
- Implement strict network segmentation and limit access to affected WordPress instances
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > WCFM Marketplace. If version is below 3.4.12, system is vulnerable.Check Version:
wp plugin list --name=wc-multivendor-marketplace --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 3.4.12 or higher in WordPress admin panel. Test the wcfm_ajax_controller endpoint with SQL injection payloads to confirm protection.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple POST requests to /wp-admin/admin-ajax.php with action=wcfm_ajax_controller containing SQL keywords
- Database connection errors or unusual query patterns
Network Indicators:
- POST requests to WordPress admin-ajax.php with SQL injection payloads in parameters
- Unusual database traffic from web server
SIEM Query:
source="wordpress.log" AND ("wcfm_ajax_controller" OR "admin-ajax.php") AND ("UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE" OR "DROP" OR "--" OR "' OR '")