Main Vulnerability Database Vulnerabilities #VU57634

SQL injection in WP Bannerize - CVE-2021-39351

Published: October 25, 2021

Vulnerability identifier: #VU57634

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-39351

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
WP Bannerize

Software vendor:
gfazioli

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "id" parameter in the ~/Classes/wpBannerizeAdmin.php file. A remote authenticated attacker can send a specially crafted request to the affected application and exfiltrate sensitive information from vulnerable sites.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://plugins.trac.wordpress.org/browser/wp-bannerize/trunk/Classes/wpBannerizeAdmin.php#L1681
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39351

SQL injection in WP Bannerize - CVE-2021-39351

Description

Remediation

External links

Please verify you're human