CVE-2021-24361
CRITICALLocation Manager < 2.1.0.10 - Unauthenticated SQL Injection via gd_popular_location_list AJAX Action
Title source: llmDescription
In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/5aff50fc-ac96-4076-a07c-bb145ae37025
Product, Vendor Advisory x_refsource_misc
https://wpgeodirectory.com/downloads/location-manager/
Scores
CVSS v3
9.8
EPSS
0.0183
EPSS Percentile
76.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
ayecode/location_manager
< 2.1.0.10
Published
Jun 21, 2021
Tracked Since
Feb 18, 2026