CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2021-36916

The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.006

EPSS Ranking 68.9%

CVSS Severity

CVSS v3 Score 8.6

CVSS v2 Score 7.5

References

https://codecanyon.net/item/hide-my-wp-amazing-security-plugin-for-wordpress/4177158
https://patchstack.com/database/vulnerability/hide-my-wp/wordpress-hide-my-wp-premium-plugin-6-2-3-sql-injection-sqli-vulnerability
https://patchstack.com/hide-my-wp-vulnerabilities-fixed/
https://codecanyon.net/item/hide-my-wp-amazing-security-plugin-for-wordpress/4177158
https://patchstack.com/database/vulnerability/hide-my-wp/wordpress-hide-my-wp-premium-plugin-6-2-3-sql-injection-sqli-vulnerability
https://patchstack.com/hide-my-wp-vulnerabilities-fixed/

Products affected by CVE-2021-36916

Wpwave » Hide My Wp » Version: 6.2.3

cpe:2.3:a:wpwave:hide_my_wp:6.2.3

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2021-36916

Products

Pricing

Contact Us