CVE-2021-24337

HIGH

video-embed-box < 1.0 - Authenticated SQL Injection via id GET Parameter

Title source: llm
STIX 2.1

Description

The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/a8fd8dd4-5b5e-462e-8dae-065d5e2d003a
Exploit, Third Party Advisory x_refsource_misc
https://codevigilant.com/disclosure/2021/wp-plugin-video-embed-box/

Scores

CVSS v3 8.8
EPSS 0.0157
EPSS Percentile 72.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
video-embed-box_project/video-embed-box < 1.0
Published Jun 07, 2021
Tracked Since Feb 18, 2026