CVE-2021-24849

CRITICAL NUCLEI

WCFM Marketplace <3.4.12 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-24849 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections

Nuclei Templates (1)

WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
CRITICALVERIFIEDby ritikchaddha
Shodan: http.html:/wp-content/plugins/wc-multivendor-marketplace
FOFA: body=/wp-content/plugins/wc-multivendor-marketplace

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e

Scores

CVSS v3 9.8
EPSS 0.0848
EPSS Percentile 94.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
wclovers/frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible < 3.4.12
Published Dec 21, 2021
Tracked Since Feb 18, 2026