CVE-2021-36916 HIGH

CVE-2021-36916: WordPress Hide My WP premium plugin <= 6.2.3 - Unauthenticated SQL injection (SQLi) vulnerability

Vendor Wpwave
Product Hide My WP (WordPress plugin)
Weakness CWE-89 · SQLi
Published November 24, 2021
Last update April 28, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.

Key dates

02Disclosure timeline

November 24, 2021 CVE published
April 28, 2026 Record updated