Is CVE-2021-25076 known to be exploited?

24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Wp User Frontend – Membership, Profile, Registration & Post Submission Plugin For Wordpress

CVE-2021-25076

The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escapin…

Vulnerability class: SQL Injection

EPSS: 0.523 (98.0th percentile) — read the EPSS interpretation.

Affected products

Unknown Wp User Frontend – Membership, Profile, Registration & Post Submission Plugin For Wordpress — versions 3.5.26

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

References

wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6 (x_refsource_MISC)
plugins.trac.wordpress.org/changeset/2648715 (x_refsource_CONFIRM)
packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQL-Inje… (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-25076?: CVE-2021-25076 is a vulnerability in Wp User Frontend – Membership, Profile, Registration & Post Submission Plugin For Wordpress, classified under SQL Injection. Published 2022-01-24.
Is CVE-2021-25076 known to be exploited?: 24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.