CVEs-PoC/2021/CVE-2021-24919.md

### [CVE-2021-24919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24919)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection

### POC

#### Reference
- https://wpscan.com/vulnerability/f472ec7d-765c-4266-ab9c-e2d06703ebb4

#### Github
No PoCs found on GitHub currently.