WordPress Plugin Vulnerabilities

WP Bannerize 2.0.0 - 4.0.2 - Authenticated SQL Injection

Description

The plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfiltrate sensitive information from vulnerable sites.

Affects Plugins

Plugin icon
wp-bannerize
No known fix

References

CVE
CVE-2021-39351
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39351

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Margaux DABERT from Intrinsec
Verified
No
WPVDB ID
0a40742a-6f25-4e69-af2b-3b8c141103d2

Timeline

Publicly Published
2021-10-05 (about 4 years ago)
Added
2021-10-05 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2023-10-31
Title
LearnDash LMS < 4.5.3.1 - SQL Injection
Published
2025-09-26
Title
PGS Core <= 5.9.0 - Authenticated (Contributor+) SQL Injection
Published
2026-04-06
Title
Media Library Assistant < 3.35 - Authenticated (Contributor+) SQL Injection
Published
2024-09-17
Title
WP-Advanced-Search < 3.3.9.2 - Unauthenticated SQL Injection
Published
2026-03-10
Title
Appointment Booking Calendar < 1.6.9.29 - Unauthenticated SQL Injection via 'append_where_sql' Parameter