Attack Chain

1. An unauthenticated attacker identifies a WordPress website running the Survey & Poll plugin version 1.5.7.3.
2. The attacker crafts a malicious SQL payload designed to extract sensitive data.
3. The attacker injects the SQL payload into the wp_sap cookie value within an HTTP request.
4. The WordPress application processes the request, executing the injected SQL query against the database.
5. The database server executes the malicious SQL query due to the SQL injection vulnerability in the plugin’s handling of the wp_sap cookie.
6. The attacker retrieves the results of the SQL query, which may include usernames, passwords, or other sensitive data.
7. The attacker uses the exfiltrated data for further malicious activities, such as gaining administrative access to the WordPress site.

Impact

Successful exploitation of CVE-2021-47941 can allow an unauthenticated attacker to extract sensitive information from the WordPress database, including usernames, passwords, and potentially other confidential data. This can lead to complete compromise of the WordPress site, allowing the attacker to modify content, install malware, or use the site for further attacks. Due to the nature of the vulnerability, a wide range of WordPress sites using the vulnerable plugin version are at risk.

Recommendation

• Deploy the Sigma rule Detect CVE-2021-47941 Exploitation via Malicious wp_sap Cookie to identify exploitation attempts based on SQL injection patterns in the wp_sap cookie value.
• Deploy the Sigma rule Detect WordPress wp_sap Cookie with Union SQL Injection to detect UNION-based SQL injection attempts via the vulnerable cookie.
• Upgrade the WordPress Survey & Poll plugin to a patched version that addresses the SQL injection vulnerability (CVE-2021-47941).