CVE-2021-47941
Received Received - Intake
SQL Injection in Survey & Poll WordPress Plugin

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description
WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-20
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2021-47941
EUVD
EUVD-2021-34802
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47941 is a SQL injection vulnerability in the WordPress Plugin Survey & Poll version 1.5.7.3. It allows unauthenticated attackers to inject malicious SQL queries through the wp_sap cookie parameter.

By exploiting this flaw, attackers can execute arbitrary SQL commands on the WordPress database, enabling them to extract sensitive information such as usernames, passwords, and other confidential data.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive database information.

  • Attackers can extract usernames and passwords stored in the WordPress database.
  • Confidential data stored in the database can be exposed.
  • The integrity and confidentiality of the WordPress site’s data can be compromised.
Detection Guidance

This SQL injection vulnerability in WordPress Plugin Survey & Poll 1.5.7.3 can be detected by attempting to inject SQL payloads via the wp_sap cookie parameter and observing if the system executes arbitrary SQL queries.

A Python script is available that automates exploitation by injecting SQL queries through the 'sss_params' parameter, which can be adapted for detection purposes. This script can list databases, tables, columns, and execute custom payloads to verify the presence of the vulnerability.

Commands to detect the vulnerability would involve sending crafted HTTP requests with malicious SQL payloads in the wp_sap cookie and analyzing the responses for database information or errors indicating SQL injection.

  • Use the provided Python exploit script from ExploitDB (EDB-ID: 50269) to test injection via the wp_sap cookie.
  • Manually craft HTTP requests with SQL injection payloads in the wp_sap cookie parameter and monitor the responses.
Mitigation Strategies

Immediate mitigation steps include updating or patching the WordPress Plugin Survey & Poll to a version that fixes the SQL injection vulnerability.

If an update is not immediately available, restrict or block HTTP requests that contain suspicious or unexpected wp_sap cookie values to prevent exploitation.

Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the wp_sap cookie parameter.

Review and harden database permissions to limit the impact of any potential SQL injection.

Compliance Impact

This SQL injection vulnerability allows attackers to extract sensitive database information such as usernames, passwords, and other confidential data from the WordPress database.

Exposure of such sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and confidential information from unauthorized access.

Organizations using the affected plugin without proper mitigation may risk violating these standards due to potential data breaches resulting from exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart