CVE-2021-47941 Overview
CVE-2021-47941 is an unauthenticated SQL injection vulnerability in the WordPress Survey & Poll plugin version 1.5.7.3. Attackers inject malicious SQL payloads through the wp_sap cookie parameter to execute arbitrary queries against the WordPress database. Successful exploitation allows extraction of sensitive data including usernames, password hashes, and other confidential records stored in the backend database. The flaw is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. No authentication or user interaction is required, making the issue exploitable remotely over the network.
Critical Impact
Unauthenticated remote attackers can extract WordPress credentials and arbitrary database contents by injecting SQL into the wp_sap cookie.
Affected Products
- WordPress Plugin Survey & Poll 1.5.7.3
- Pantherius Modal Survey plugin (Survey & Poll component)
- WordPress installations with the vulnerable plugin enabled
Discovery Timeline
- 2026-05-10 - CVE-2021-47941 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47941
Vulnerability Analysis
The Survey & Poll plugin reads the wp_sap cookie value and incorporates it directly into a backend SQL statement without sanitization or parameterization. Because the input flows from an attacker-controlled HTTP cookie header into the query string, an unauthenticated client can append arbitrary SQL clauses. The vulnerability falls under [CWE-89] and affects the plugin's survey state handling logic.
An attacker can send a single crafted HTTP request to any page rendering the plugin to trigger the injection. Standard UNION SELECT techniques retrieve rows from wp_users, exposing the user_login and user_pass columns. Blind and time-based variants also work because the cookie value is processed before authentication checks.
EPSS data places exploitation probability at 0.086% with a percentile of 24.613, but a public exploit exists at Exploit-DB entry 50269, which increases practical risk for exposed installations.
Root Cause
The root cause is unsanitized concatenation of the wp_sap cookie value into an SQL query. The plugin neither validates the cookie format nor uses prepared statements via $wpdb->prepare(), allowing operator injection.
Attack Vector
The attack vector is network-based and pre-authentication. An attacker issues an HTTP request to a WordPress page hosting the Survey & Poll plugin, supplying a malicious Cookie: wp_sap=... header containing SQL syntax. The server executes the injected SQL with database privileges held by the WordPress user. Refer to the VulnCheck WordPress Advisory and Exploit-DB #50269 for documented payload structures.
Detection Methods for CVE-2021-47941
Indicators of Compromise
- HTTP requests containing SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA inside the wp_sap cookie value.
- Unusual database query latency or errors logged by MySQL or MariaDB tied to plugin requests.
- Outbound exfiltration of wp_users table contents or unexpected reads of password hashes.
Detection Strategies
- Inspect web server access logs for Cookie: headers containing SQL metacharacters such as single quotes, comments (--, #), or stacked statements.
- Enable MySQL general or slow query logging and alert on queries referencing wp_users originating from plugin code paths.
- Deploy WAF rules that decode and inspect cookie values for SQL injection signatures, not only URL parameters.
Monitoring Recommendations
- Monitor for repeated 200-status requests to plugin endpoints from a single IP with varying cookie payloads.
- Track creation of new administrator accounts or password resets following suspicious requests.
- Alert on database response sizes that deviate from baseline page rendering.
How to Mitigate CVE-2021-47941
Immediate Actions Required
- Disable and remove the Survey & Poll plugin version 1.5.7.3 until a vendor-patched release is confirmed available.
- Rotate all WordPress administrator credentials and force password resets for site users.
- Audit the wp_users and wp_options tables for unauthorized modifications or injected administrator accounts.
Patch Information
No vendor patch URL is listed in the NVD record. Site operators should consult the Pantherius Survey Tool vendor site for updated releases and review the VulnCheck WordPress Advisory for remediation guidance.
Workarounds
- Block requests containing SQL syntax inside the wp_sap cookie at the WAF or reverse proxy layer.
- Restrict access to pages embedding the Survey & Poll plugin to authenticated users via WordPress access controls.
- Apply database least-privilege by ensuring the WordPress MySQL account cannot read tables outside its required scope.
# Example ModSecurity rule to block SQLi in the wp_sap cookie
SecRule REQUEST_COOKIES:wp_sap "@rx (?i)(union(\s|/\*.*\*/)+select|sleep\s*\(|information_schema|--|;)" \
"id:1004721,phase:1,deny,status:403,log,msg:'CVE-2021-47941 Survey & Poll SQLi attempt in wp_sap cookie'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
