CVE-2021-47941
SQL Injection in Survey & Poll WordPress Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47941 is a SQL injection vulnerability in the WordPress Plugin Survey & Poll version 1.5.7.3. It allows unauthenticated attackers to inject malicious SQL queries through the wp_sap cookie parameter.
By exploiting this flaw, attackers can execute arbitrary SQL commands on the WordPress database, enabling them to extract sensitive information such as usernames, passwords, and other confidential data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This SQL injection vulnerability allows attackers to extract sensitive database information such as usernames, passwords, and other confidential data from the WordPress database.
Exposure of such sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and confidential information from unauthorized access.
Organizations using the affected plugin without proper mitigation may risk violating these standards due to potential data breaches resulting from exploitation of this vulnerability.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive database information.
- Attackers can extract usernames and passwords stored in the WordPress database.
- Confidential data stored in the database can be exposed.
- The integrity and confidentiality of the WordPress siteβs data can be compromised.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability in WordPress Plugin Survey & Poll 1.5.7.3 can be detected by attempting to inject SQL payloads via the wp_sap cookie parameter and observing if the system executes arbitrary SQL queries.
A Python script is available that automates exploitation by injecting SQL queries through the 'sss_params' parameter, which can be adapted for detection purposes. This script can list databases, tables, columns, and execute custom payloads to verify the presence of the vulnerability.
Commands to detect the vulnerability would involve sending crafted HTTP requests with malicious SQL payloads in the wp_sap cookie and analyzing the responses for database information or errors indicating SQL injection.
- Use the provided Python exploit script from ExploitDB (EDB-ID: 50269) to test injection via the wp_sap cookie.
- Manually craft HTTP requests with SQL injection payloads in the wp_sap cookie parameter and monitor the responses.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating or patching the WordPress Plugin Survey & Poll to a version that fixes the SQL injection vulnerability.
If an update is not immediately available, restrict or block HTTP requests that contain suspicious or unexpected wp_sap cookie values to prevent exploitation.
Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the wp_sap cookie parameter.
Review and harden database permissions to limit the impact of any potential SQL injection.