EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access
The National Vulnerability Database reports CVE-2021-47956, a high-severity SQL injection vulnerability in EgavilanMedia PHPCRUD version 1.0. This flaw allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code via the firstname parameter. Attackers can leverage POST requests to insert.php with crafted firstname values to extract sensitive database information.
This is a classic SQLi scenario, rated 8.2 (HIGH) on the CVSS scale. The critical aspect here is the lack of authentication required for exploitation, making it a low-friction target for adversaries. An attacker only needs network access to the vulnerable application to begin siphoning data. It’s a direct path to sensitive data exfiltration.
While specific affected products beyond PHPCRUD 1.0 aren’t detailed by the National Vulnerability Database, any organization running this specific version is at immediate risk. This vulnerability type, CWE-89, remains a persistent threat due to improper input sanitization. Defenders must prioritize patching or isolating any instances of this software.
What This Means For You
- If your organization uses EgavilanMedia PHPCRUD version 1.0, you are exposed to unauthenticated data theft. Immediately identify and patch or remove any instances of this application. Audit logs for `insert.php` for any suspicious POST requests manipulating the `firstname` parameter.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47956 - EgavilanMedia PHPCRUD Unauthenticated SQL Injection via firstname
title: CVE-2021-47956 - EgavilanMedia PHPCRUD Unauthenticated SQL Injection via firstname
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2021-47956 in EgavilanMedia PHPCRUD 1.0. This rule specifically looks for POST requests to 'insert.php' containing SQL injection payloads in the 'firstname' parameter, such as ' OR '1'='1' or ' UNION SELECT', indicating an attempt to exfiltrate data without authentication.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47956/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/insert.php'
cs-method|exact: 'POST'
cs-uri-query|contains:
- 'firstname='
cs-uri-query|contains:
- '%27 OR %271%27%3D%271'
cs-uri-query|contains:
- '%27 UNION SELECT'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47956 | SQLi | EgavilanMedia PHPCRUD version 1.0 |
| CVE-2021-47956 | SQLi | Vulnerable parameter: firstname |
| CVE-2021-47956 | SQLi | Vulnerable endpoint: insert.php (POST request) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 16, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations
CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...
TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)
CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...
CVE-2021-47954: Unauthenticated SQLi in LayerBB 1.1.4
CVE-2021-47954 — LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter....