Vulnerability Description
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schiocco | Support Board - Chat And Help Desk | < 3.3.4 |
Related Weaknesses (CWE)
References
- https://board.support/changesRelease NotesVendor Advisory
- https://medium.com/%40lijohnjefferson/multiple-sql-injection-unauthenticated-in-
- https://wpscan.com/vulnerability/ccf293ec-7607-412b-b662-5e237b8690caExploitThird Party Advisory
- https://board.support/changesRelease NotesVendor Advisory
- https://medium.com/%40lijohnjefferson/multiple-sql-injection-unauthenticated-in-
- https://wpscan.com/vulnerability/ccf293ec-7607-412b-b662-5e237b8690caExploitThird Party Advisory
FAQ
What is CVE-2021-24741?
CVE-2021-24741 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before ...
How severe is CVE-2021-24741?
CVE-2021-24741 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-24741?
Check the references section above for vendor advisories and patch information. Affected products include: Schiocco Support Board - Chat And Help Desk.