CVE-2021-24772

Stream < 3.8.2 - Admin+ SQL Injection

EPSS 1.5%CWE-89

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

17 Nov 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.

Affected products

Unknown · Stream

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2615811/stream https://wpscan.com/vulnerability/b9d4f2ad-2f12-4822-817d-982a016af85d