CVE-2021-24361

CRITICAL

Location Manager < 2.1.0.10 - Unauthenticated SQL Injection via gd_popular_location_list AJAX Action

Title source: llm
STIX 2.1

Description

In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/5aff50fc-ac96-4076-a07c-bb145ae37025
Product, Vendor Advisory x_refsource_misc
https://wpgeodirectory.com/downloads/location-manager/

Scores

CVSS v3 9.8
EPSS 0.0183
EPSS Percentile 76.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
ayecode/location_manager < 2.1.0.10
Published Jun 21, 2021
Tracked Since Feb 18, 2026