CVE-2021-24741

Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections

EPSS 5.5%CWE-89

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 5.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

20 Sep 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.

Affected products

Unknown · Support Board

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://board.support/changes https://medium.com/%40lijohnjefferson/multiple-sql-injection-unauthenticated-in-support-board-v-3-3-3-3e9b4214a4f9 https://wpscan.com/vulnerability/ccf293ec-7607-412b-b662-5e237b8690ca