SQL injection vulnerabilities in WordPress plugin Hide My WP

Cybersecurity specialists report the detection of two vulnerabilities in Hide My WP, a popular security plugin for WordPress websites. According to the report, successful exploitation of these flaws would allow threat actors to deploy multiple attack scenarios.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-36916: This flaw exists due to insufficient disinfection of user-provided data in the “hmwp_get_user_ip” function using IP address headers. Remote threat actors could send a specially crafted request to the affected application and execute arbitrary SQL commands on a vulnerable database.

The vulnerability received a CVSS score of 8.5/10 and its successful exploitation would allow access to sensitive data and the total compromise of the affected application.

CVE-2021-36917: Moreover, this flaw exists due to the incorrect application of access restrictions on reset tokens. Remote malicious hackers can disable the affected plugin and perform denial of service (DoS) attacks.

This is a medium severity flaw and received a CVSS score of 4.6/10.

According to the report, the detected flaws reside in the following versions of Hide My WP: 6.2.3.

Although flaws can be exploited by unauthenticated threat actors, no incidents of active exploitation have been detected so far. However, users of affected deployments are encouraged to apply the available security patches.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.