CVE-2021-24849

CRITICAL NUCLEI

WCFM Marketplace <3.4.12 - SQL Injection

Title source: llm

Description

The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections

Nuclei Templates (1)

WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection

CRITICALVERIFIEDby ritikchaddha

Shodan: http.html:/wp-content/plugins/wc-multivendor-marketplace

FOFA: body=/wp-content/plugins/wc-multivendor-marketplace

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e

Scores

CVSS v3 9.8

EPSS 0.7464

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

wclovers/frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible < 3.4.12

Published Dec 21, 2021

Tracked Since Feb 18, 2026