CVE-2021-24557

HIGH

m-vslider < 2.1.3 - Authenticated SQL Injection via rs_id Parameter

Title source: llm
STIX 2.1

Description

The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/8b8e41e8-5a40-4062-b5b7-3b01b1a709ef
Exploit, Third Party Advisory x_refsource_misc
https://codevigilant.com/disclosure/2021/wp-plugin-m-vslider/

Scores

CVSS v3 7.2
EPSS 0.0155
EPSS Percentile 72.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
nimble3/m-vslider < 2.1.3
Published Aug 23, 2021
Tracked Since Feb 18, 2026