CVE-2021-47872
Unknown Unknown - Not Provided
Blind SQL Injection in SEO Panel archive.php Allows Data Extraction

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description
SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47872
EUVD
EUVD-2026-3613
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
seo_panel seo_panel to 4.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47872 is a blind SQL injection vulnerability in SEO Panel versions prior to 4.9.0, specifically in the archive.php page's 'order_col' parameter. Authenticated attackers with admin privileges can manipulate this parameter to inject malicious SQL code, allowing them to extract sensitive database information without direct error messages. The attack can be automated using tools like sqlmap by modifying the 'order_col' parameter to a wildcard or time-delay SQL payload, enabling attackers to infer database contents through timing differences. [1, 2, 4]

Impact Analysis

This vulnerability allows an attacker with admin access to read, update, or delete arbitrary data or tables in the SEO Panel database. It can lead to unauthorized data access, data modification, or deletion, and potentially allow execution of commands on the underlying operating system. This poses a significant security risk including data breaches and loss of data integrity within the affected application. [1, 2, 4]

Detection Guidance

This vulnerability can be detected by logging into the SEO Panel as an administrator, navigating to the archive.php page, and modifying the 'order_col' parameter to include a time-delay SQL payload such as (SELECT 7397 FROM (SELECT(SLEEP(10)))keuG). A delayed response indicates the presence of the blind SQL injection. Additionally, automated tools like sqlmap can be used to detect and exploit the vulnerability. An example sqlmap command is: sqlmap -r file.txt --batch --level 5 --risk 3 --dbms MYSQL --dbs --technique=T --flush-session, where file.txt contains the captured HTTP request with the modified 'order_col' parameter. [1, 4]

Mitigation Strategies

The immediate mitigation step is to upgrade SEO Panel to version 4.9.0 or later, where this vulnerability has been fixed. The update includes security bug fixes addressing this blind SQL injection issue. Installation and upgrade can be performed using Bitnami, Softaculous, Installatron, Webuzo, AMPPS, or by downloading the latest version directly from the official SEO Panel website. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart