CVE-2021-36916

HIGH

Hide My WP <= 6.2.3 - SQL Injection via Spoofed IP Address Headers

Title source: llm
STIX 2.1

Description

The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.

Scores

CVSS v3 8.6
EPSS 0.0180
EPSS Percentile 76.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
wpWave/Hide My WP (WordPress plugin) <= 6.2.3 - 6.2.3
wpwave/hide_my_wp < 6.2.3
Published Nov 24, 2021
Tracked Since Feb 18, 2026