CVE-2021-24931
📋 TL;DR
This vulnerability allows attackers to execute arbitrary SQL commands on WordPress sites running the Secure Copy Content Protection and Content Locking plugin. Both unauthenticated and authenticated users can exploit it via the ays_sccp_results_export_file AJAX action. This affects all WordPress installations with vulnerable plugin versions.
💻 Affected Systems
- WordPress Secure Copy Content Protection and Content Locking plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential remote code execution via database functions.
Likely Case
Data extraction from WordPress database including user credentials, sensitive content, and plugin data.
If Mitigated
Limited impact with proper input validation and parameterized queries in place.
🎯 Exploit Status
Public exploit code available on Packet Storm Security. Simple SQL injection via sccp_id parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.2
Vendor Advisory: https://wordpress.org/plugins/secure-copy-content-protection/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Secure Copy Content Protection and Content Locking'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.8.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the ays_sccp_results_export_file AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_ays_sccp_results_export_file', 'ays_sccp_results_export_file'); remove_action('wp_ajax_nopriv_ays_sccp_results_export_file', 'ays_sccp_results_export_file');
Web Application Firewall rule
allBlock SQL injection patterns targeting sccp_id parameter
WAF-specific configuration to block: *?action=ays_sccp_results_export_file*sccp_id=*[SQL injection patterns]*
🧯 If You Can't Patch
- Disable the Secure Copy Content Protection and Content Locking plugin immediately
- Implement strict input validation and sanitization for all user-supplied parameters in custom code
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Secure Copy Content Protection and Content Locking' version numberCheck Version:
wp plugin list --name='secure-copy-content-protection' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 2.8.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=ays_sccp_results_export_file
- SQL error messages in WordPress debug logs containing sccp_id parameter
Network Indicators:
- HTTP POST requests with SQL injection patterns in sccp_id parameter
- Multiple rapid requests to admin-ajax.php endpoint
SIEM Query:
source="wordpress.log" AND "ays_sccp_results_export_file" AND ("SQL" OR "syntax" OR "union" OR "select" OR "sleep(")🔗 References
- http://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.html
- https://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231
- http://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.html
- https://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231
