Login Sign Up

CVE-2021-26935

7.5 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in WoWonder allows remote attackers to execute arbitrary SQL commands via the event_id parameter in the requests.php?f=search-my-followers endpoint. Successful exploitation could lead to complete database compromise, affecting all WoWonder installations running versions below 3.1.

💻 Affected Systems

Products:
  • WoWonder
Versions: All versions < 3.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all default installations of WoWonder below version 3.1.

📦 What is this software?

Wowonder by Wowonder

View all CVEs affecting Wowonder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database takeover including user credentials, personal data, and administrative access, potentially leading to full system compromise.

🟠

Likely Case

Database information disclosure, data manipulation, and potential privilege escalation to administrative accounts.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1

Vendor Advisory: https://www.wowonder.com/

Restart Required: No

Instructions:

1. Backup your WoWonder installation and database. 2. Download WoWonder version 3.1 or higher. 3. Replace all files with the new version. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the event_id parameter before processing.

Modify requests.php to validate event_id as integer: if(!is_numeric($_GET['event_id'])) { die('Invalid input'); }

Web Application Firewall Rule

all

Block SQL injection patterns in the event_id parameter.

Add WAF rule: SecRule ARGS:event_id "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Block access to /requests.php endpoint at network perimeter or web server level.
  • Implement strict input validation and parameterized queries for all user inputs.

🔍 How to Verify

Check if Vulnerable:

Check if WoWonder version is below 3.1 by examining the admin panel or version files.

Check Version:

Check admin panel or examine WoWonder configuration files for version information.

Verify Fix Applied:

Confirm version is 3.1 or higher and test the vulnerable endpoint with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

  • SQL error messages in web server logs
  • Unusual database queries from web application
  • Multiple failed login attempts following SQL injection patterns

Network Indicators:

  • HTTP requests to /requests.php?f=search-my-followers with SQL injection payloads in event_id parameter

SIEM Query:

source="web_server" AND url="*requests.php?f=search-my-followers*" AND (event_id="*' OR *" OR event_id="*;*" OR event_id="*UNION*" OR event_id="*SELECT*" OR event_id="*FROM*" OR event_id="*WHERE*")

📊 Metadata

CVE ID: CVE-2021-26935
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
Published: March 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26935, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)