WordPress Plugin Survey & Poll SQLi Puts Data at Risk
The National Vulnerability Database reports a critical SQL injection vulnerability, CVE-2021-47941, in WordPress Plugin Survey & Poll version 1.5.7.3. This flaw allows unauthenticated attackers to execute arbitrary SQL queries, a severe risk that can lead to full database compromise.
Attackers can exploit this by injecting malicious code directly into the wp_sap cookie parameter. This vector enables them to extract sensitive database information, including usernames, hashed passwords, and other confidential data stored within the WordPress database. The CVSS score of 8.2 (HIGH) underscores the severity, indicating a network-exploitable vulnerability requiring no user interaction or privileges.
For defenders, this means any WordPress site running the affected plugin is an open book. The ease of exploitation via a simple cookie injection makes this a prime target for opportunistic attackers looking to enumerate databases and exfiltrate data. Patching or removing this plugin immediately is non-negotiable.
What This Means For You
- If your WordPress site uses the Survey & Poll plugin (version 1.5.7.3 or earlier), you are exposed to unauthenticated SQL injection. Your entire WordPress database, including user credentials and sensitive content, is at risk of exfiltration. Immediately audit your WordPress installations for this plugin and update it or remove it.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
WordPress Survey & Poll Plugin SQL Injection via wp_sap Cookie - CVE-2021-47941
title: WordPress Survey & Poll Plugin SQL Injection via wp_sap Cookie - CVE-2021-47941
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2021-47941 by looking for requests to the Survey & Poll plugin directory that contain the vulnerable 'wp_sap' cookie parameter. This parameter is used by attackers to inject SQL payloads for data exfiltration.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47941/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-content/plugins/survey-and-poll/'
cs-uri-query|contains:
- 'wp_sap='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47941 | SQLi | WordPress Plugin Survey & Poll version 1.5.7.3 |
| CVE-2021-47941 | SQLi | Vulnerable parameter: wp_sap cookie |
| CVE-2021-47941 | SQLi | Attack vector: Unauthenticated SQL injection via cookie |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...
TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...