CVE-2021-24762 Overview
CVE-2021-24762 is a SQL Injection vulnerability affecting the Perfect Survey WordPress plugin before version 1.5.2. The vulnerability exists because the plugin fails to properly validate and escape the question_id GET parameter before using it in a SQL statement within the get_question AJAX action. This flaw allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database.
Critical Impact
Unauthenticated attackers can exploit this SQL injection vulnerability to extract sensitive data from the WordPress database, including user credentials, personal information, and potentially gain full database control. The vulnerability requires no authentication and can be exploited remotely over the network.
Affected Products
- Perfect Survey WordPress Plugin versions prior to 1.5.2
- WordPress installations running vulnerable versions of the Perfect Survey plugin
- Getperfectsurvey Perfect Survey plugin
Discovery Timeline
- 2022-02-01 - CVE-2021-24762 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-24762
Vulnerability Analysis
This SQL injection vulnerability stems from improper input handling in the Perfect Survey plugin's AJAX functionality. When processing survey-related requests, the plugin accepts a question_id parameter via GET requests and directly incorporates this user-supplied value into SQL queries without proper sanitization or parameterization.
The vulnerable endpoint is accessible through WordPress's AJAX interface (wp-admin/admin-ajax.php) using the get_question action. Since WordPress AJAX endpoints can be configured to accept requests from unauthenticated users, attackers do not need any WordPress credentials to exploit this vulnerability. The lack of authentication requirements combined with the direct SQL query construction creates a highly exploitable attack surface.
Root Cause
The root cause of this vulnerability is the failure to implement proper input validation and parameterized queries (prepared statements) when handling the question_id parameter. The plugin directly concatenates user-supplied input into SQL queries instead of using WordPress's built-in $wpdb->prepare() method or equivalent sanitization functions. This classic SQL injection pattern allows attackers to break out of the intended query structure and inject malicious SQL commands.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication. An attacker sends a crafted HTTP GET request to the WordPress AJAX handler with a malicious question_id parameter containing SQL injection payloads. The attack flow is as follows:
- Attacker identifies a WordPress site running a vulnerable version of Perfect Survey
- Attacker sends a request to /wp-admin/admin-ajax.php?action=get_question&question_id=[MALICIOUS_PAYLOAD]
- The plugin processes the request and executes the injected SQL
- The attacker receives database responses through error messages, time-based inference, or UNION-based data extraction
The vulnerability allows for various SQL injection techniques including UNION-based attacks for data extraction, time-based blind injection for inferring data, and potentially stacked queries depending on the database configuration. For detailed technical analysis of the exploitation mechanism, refer to the WPScan Vulnerability Details and Packet Storm SQL Injection Report.
Detection Methods for CVE-2021-24762
Indicators of Compromise
- HTTP requests to /wp-admin/admin-ajax.php with the action=get_question parameter containing SQL syntax such as UNION, SELECT, OR 1=1, or comment characters (--, /*)
- Unusual database query patterns or errors in WordPress/MySQL logs indicating SQL syntax errors
- Large volumes of requests targeting the AJAX endpoint from single IP addresses or suspicious user agents
- Evidence of database exfiltration such as unexpected data access patterns or bulk data retrieval
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in the question_id parameter
- Implement log monitoring for AJAX requests containing suspicious characters like single quotes, double dashes, or SQL keywords
- Utilize intrusion detection systems (IDS) with signatures for WordPress SQL injection attacks
- Enable verbose MySQL query logging temporarily to identify anomalous queries originating from the Perfect Survey plugin
Monitoring Recommendations
- Monitor WordPress access logs for requests to admin-ajax.php with the get_question action, particularly those with encoded or suspicious parameter values
- Set up alerts for HTTP 500 errors on AJAX endpoints which may indicate failed SQL injection attempts
- Implement rate limiting on AJAX endpoints to slow down automated exploitation attempts
- Review database user privileges to ensure the WordPress database account has minimal necessary permissions
How to Mitigate CVE-2021-24762
Immediate Actions Required
- Update the Perfect Survey plugin to version 1.5.2 or later immediately
- If immediate update is not possible, deactivate and remove the Perfect Survey plugin from the WordPress installation
- Review WordPress database logs for any signs of unauthorized access or data exfiltration
- Consider implementing a Web Application Firewall to provide additional protection against SQL injection attacks
- Reset database credentials if compromise is suspected
Patch Information
The vulnerability has been addressed in Perfect Survey plugin version 1.5.2. Users should update to this version or later through the WordPress plugin dashboard or by downloading the latest version directly from the plugin source. After updating, verify the installed version by checking the plugin details in WordPress Admin under Plugins.
For more information about this vulnerability, consult the WPScan Vulnerability Details.
Workarounds
- Deactivate the Perfect Survey plugin if upgrading is not immediately feasible
- Implement WAF rules to block requests containing SQL injection patterns in the question_id parameter
- Restrict access to wp-admin/admin-ajax.php for unauthenticated users if survey functionality is not required for public users
- Apply IP-based access controls to limit exposure while awaiting a maintenance window for patching
# Apache .htaccess workaround to block suspicious AJAX requests
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=get_question [NC]
RewriteCond %{QUERY_STRING} question_id=.*(\%27|\'|union|select|concat|char\() [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
