CVE-2021-24385

Summary

The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user.

Affected Software

VendorProductVersion RangeStatus
Ninja TeamFileBird – WordPress Media Library Folders & File Manager4.7.3 < 4.7.3*affected
Ninja TeamFileBird – WordPress Media Library Folders & File Manager4.7.4 < 4.7.4affected

Weaknesses

  • CWE-89: CWE-89 SQL Injection

ADP Enrichment

CVE Program Container

Additional References

References