CVE-2021-47872
Blind SQL Injection in SEO Panel archive.php Allows Data Extraction
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seo_panel | seo_panel | to 4.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47872 is a blind SQL injection vulnerability in SEO Panel versions prior to 4.9.0, specifically in the archive.php page's 'order_col' parameter. Authenticated attackers with admin privileges can manipulate this parameter to inject malicious SQL code, allowing them to extract sensitive database information without direct error messages. The attack can be automated using tools like sqlmap by modifying the 'order_col' parameter to a wildcard or time-delay SQL payload, enabling attackers to infer database contents through timing differences. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability allows an attacker with admin access to read, update, or delete arbitrary data or tables in the SEO Panel database. It can lead to unauthorized data access, data modification, or deletion, and potentially allow execution of commands on the underlying operating system. This poses a significant security risk including data breaches and loss of data integrity within the affected application. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by logging into the SEO Panel as an administrator, navigating to the archive.php page, and modifying the 'order_col' parameter to include a time-delay SQL payload such as (SELECT 7397 FROM (SELECT(SLEEP(10)))keuG). A delayed response indicates the presence of the blind SQL injection. Additionally, automated tools like sqlmap can be used to detect and exploit the vulnerability. An example sqlmap command is: sqlmap -r file.txt --batch --level 5 --risk 3 --dbms MYSQL --dbs --technique=T --flush-session, where file.txt contains the captured HTTP request with the modified 'order_col' parameter. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade SEO Panel to version 4.9.0 or later, where this vulnerability has been fixed. The update includes security bug fixes addressing this blind SQL injection issue. Installation and upgrade can be performed using Bitnami, Softaculous, Installatron, Webuzo, AMPPS, or by downloading the latest version directly from the official SEO Panel website. [3]