CVE-2021-47954: Unauthenticated SQLi in LayerBB 1.1.4
The National Vulnerability Database reports CVE-2021-47954, a high-severity SQL injection vulnerability impacting LayerBB 1.1.4. This flaw allows unauthenticated attackers to manipulate database queries via the search_query parameter in POST requests to /search.php.
Attackers can leverage CASE WHEN statements to extract sensitive database information. With a CVSS score of 8.2 (HIGH), this vulnerability poses a significant risk for data exfiltration, enabling unauthorized access to critical backend data. The simplicity of exploitation, requiring no authentication, broadens the attack surface significantly.
Defenders using LayerBB 1.1.4 must recognize that this isn’t just a theoretical flaw; it’s a direct path to their database. The attacker’s calculus here is straightforward: send a crafted POST request and gain access to sensitive data. If you’re running this version, you’re exposed.
What This Means For You
- If your organization uses LayerBB 1.1.4, you are vulnerable to unauthenticated SQL injection. Prioritize patching or migrating immediately. Audit your web server logs for `/search.php` POST requests containing suspicious `search_query` parameters or SQL syntax, as this could indicate active exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47954: Unauthenticated SQLi in LayerBB search.php
title: CVE-2021-47954: Unauthenticated SQLi in LayerBB search.php
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2021-47954 by sending POST requests to /search.php with a 'search_query' parameter containing 'CASE WHEN' statements, indicative of SQL injection to extract database information.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47954/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|endswith:
- '/search.php'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'search_query=CASE WHEN'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47954 | SQLi | LayerBB 1.1.4 |
| CVE-2021-47954 | SQLi | Vulnerable parameter: search_query |
| CVE-2021-47954 | SQLi | Vulnerable endpoint: /search.php |
| CVE-2021-47954 | SQLi | Attack vector: POST request with malicious search_query |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 16, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations
CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...
TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)
CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...
EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access
CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...