CVE-2021-24385

Name of the Vulnerable Software and Affected Versions Filebird Plugin version 4.7.3

Description The issue arises from the plugin making SQL queries without properly escaping user input data from HTTP post requests, allowing for SQL injection. This is exacerbated by the lack of required permissions or authentication for the Rest API endpoint that invokes the vulnerable function, making it accessible to anonymous users.

Recommendations For Filebird Plugin version 4.7.3, consider disabling the Rest API endpoint that invokes the vulnerable function until a patch is available, and ensure that all user input data is properly escaped to prevent SQL injection. Restrict access to the endpoint to require proper authentication and permissions to minimize the risk of exploitation.