CVE-2021-24458

CVE-2021-24458: Popup box < 2.3.4 - Authenticated Blind SQL Injections

Vendor Ays Pro

Product Popup box

Weakness CWE-89 · SQLi

Published August 2, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Key dates

02Disclosure timeline

August 2, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24458

Related vulnerabilities

04Related CVE

CVE-2025-7129 Campcodes Payroll Management System ajax.php sql injection CVE-2022-3141 Translatepress Multilinugal < 2.3.3 - Admin+ SQLi CVE-2023-30465 Apache InLong: SQL injection in apache inLong 1.5.0 CVE-2023-5268 DedeBIZ makehtml_taglist_action.php sql injection CVE-2023-30867 Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability