CVE-2021-24762: 
WordPress vulnerability analysis and mitigation

The Perfect Survey WordPress plugin before version 1.5.2 contains an unauthenticated SQL injection vulnerability (CVE-2021-24762). The vulnerability was discovered and publicly disclosed on October 5, 2021, affecting all versions of the plugin prior to 1.5.2. The issue stems from improper validation and escaping of the questionid GET parameter in the getquestion AJAX action (WPScan).

The vulnerability is classified as a SQL injection (CWE-89) with a CVSS v3.1 base score of 9.8 (CRITICAL). The issue occurs in the getquestion AJAX action where the questionid GET parameter is not properly validated or escaped before being used in SQL statements. This vulnerability can be exploited through the WordPress admin-ajax.php endpoint, requiring no authentication. A proof of concept exists that demonstrates how an attacker can exploit this vulnerability to extract user data from the wp_users table (WPScan).

The vulnerability allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations. Due to its critical CVSS score (9.8), successful exploitation could lead to unauthorized access to sensitive database information, including user credentials, and potential database manipulation or destruction (NVD).

The vulnerability has been patched in Perfect Survey version 1.5.2. Website administrators running affected versions should immediately upgrade to version 1.5.2 or later to mitigate this security risk (WPScan).