// For flags

CVE-2021-36916

WordPress Hide My WP premium plugin <= 6.2.3 - Unauthenticated SQL injection (SQLi) vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.

Una vulnerabilidad de inyección SQL en el plugin Hide My WP de WordPress (versiones anteriores a 6.2.3 incluyéndola) es posible debido a la forma en que la dirección IP es recuperada y usada dentro de una consulta SQL. La función "hmwp_get_user_ip" intenta recuperar la dirección IP a partir de múltiples encabezados, incluyendo encabezados de dirección IP que el usuario puede falsear, como "X-Forwarded-For". Como resultado, la carga útil maliciosa suministrada en uno de estos encabezados de dirección IP será insertado directamente en la consulta SQL, haciendo posible una inyección SQL

*Credits: Vulnerability discovered by Dave Jong (Patchstack).
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-07-19 CVE Reserved
  • 2021-11-24 CVE Published
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wpwave
Search vendor "Wpwave"
 Hide My Wp
Search vendor "Wpwave" for product "Hide My Wp"
 <= 6.2.3
Search vendor "Wpwave" for product "Hide My Wp" and version " <= 6.2.3"
wordpress
Affected