CVE-2021-24506

Slider Hero < 8.2.7 - Contributor+ SQL Injection

EPSS 1.4%CWE-89

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

23 Aug 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection.

Affected products

Unknown · Slider Hero with Animation, Video Background & Intro Maker

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/52c8755c-46b9-4383-8c8d-8816f03456b0