Skip to content
Threat Feed
high threat

CVE-2021-47941: WordPress Survey & Poll Plugin SQL Injection Vulnerability

WordPress Plugin Survey & Poll version 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter, potentially leading to sensitive data extraction.

CVE-2021-47941 describes a critical SQL injection vulnerability affecting the WordPress Survey & Poll plugin, version 1.5.7.3. This flaw allows unauthenticated attackers to inject malicious SQL code via the wp_sap cookie. By crafting specific SQL payloads within this cookie, attackers can execute arbitrary queries against the WordPress database. This can lead to the exfiltration of sensitive information such as usernames, passwords, and other confidential data stored within the database. The vulnerability poses a significant risk to WordPress websites using the affected plugin version, potentially leading to complete compromise of the web application.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress website running the Survey & Poll plugin version 1.5.7.3.
  2. The attacker crafts a malicious SQL payload designed to extract sensitive data.
  3. The attacker injects the SQL payload into the wp_sap cookie value within an HTTP request.
  4. The WordPress application processes the request, executing the injected SQL query against the database.
  5. The database server executes the malicious SQL query due to the SQL injection vulnerability in the plugin’s handling of the wp_sap cookie.
  6. The attacker retrieves the results of the SQL query, which may include usernames, passwords, or other sensitive data.
  7. The attacker uses the exfiltrated data for further malicious activities, such as gaining administrative access to the WordPress site.

Impact

Successful exploitation of CVE-2021-47941 can allow an unauthenticated attacker to extract sensitive information from the WordPress database, including usernames, passwords, and potentially other confidential data. This can lead to complete compromise of the WordPress site, allowing the attacker to modify content, install malware, or use the site for further attacks. Due to the nature of the vulnerability, a wide range of WordPress sites using the vulnerable plugin version are at risk.

Recommendation

  • Deploy the Sigma rule Detect CVE-2021-47941 Exploitation via Malicious wp_sap Cookie to identify exploitation attempts based on SQL injection patterns in the wp_sap cookie value.
  • Deploy the Sigma rule Detect WordPress wp_sap Cookie with Union SQL Injection to detect UNION-based SQL injection attempts via the vulnerable cookie.
  • Upgrade the WordPress Survey & Poll plugin to a patched version that addresses the SQL injection vulnerability (CVE-2021-47941).

Detection coverage 2

Detect CVE-2021-47941 Exploitation via Malicious wp_sap Cookie

high

Detects CVE-2021-47941 exploitation — SQL injection attempts in the wp_sap cookie value indicating potential data exfiltration

sigma tactics: initial_access techniques: T1190, T1505.003 sources: webserver

Detect WordPress wp_sap Cookie with Union SQL Injection

high

Detects UNION-based SQL injection attempts via the wp_sap cookie in WordPress Survey & Poll plugin

sigma tactics: initial_access techniques: T1190, T1505.003 sources: webserver

Detection queries are available on the platform. Get full rules →