CVE-2021-47966: PHP Timeclock SQLi Exposes Employee Data
The National Vulnerability Database has detailed CVE-2021-47966, a high-severity (CVSS 8.2) vulnerability impacting PHP Timeclock 1.04. This flaw allows unauthenticated attackers to execute time-based and boolean-based blind SQL injection attacks through the login_userid parameter in login.php.
Attackers can craft POST requests with SQL payloads, leveraging SLEEP functions or RLIKE conditional statements. This enables them to extract sensitive database contents, including employee names and credentials. The CWE-89 classification highlights a fundamental input validation failure.
This isn’t just a theoretical bug; it’s a direct path to sensitive internal data. For any organization still running PHP Timeclock 1.04, this vulnerability represents a critical exposure. Attackers prioritize low-hanging fruit, and an unauthenticated SQLi on a login page is exactly that. It bypasses authentication entirely, making the database content fair game for anyone with network access to the application.
What This Means For You
- If your organization uses PHP Timeclock 1.04, you are vulnerable to unauthenticated database compromise. Attackers can dump employee names and credentials without needing any prior access. Immediately identify all instances of PHP Timeclock 1.04 in your environment, assess its criticality, and prioritize patching or removal. Assume compromise if you've been running this version unpatched.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47966: PHP Timeclock Blind SQLi via login.php
title: CVE-2021-47966: PHP Timeclock Blind SQLi via login.php
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2021-47966 by targeting the login.php endpoint with POST requests containing the 'login_userid' parameter and SQL SLEEP functions, indicative of a time-based blind SQL injection attack.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47966/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/login.php'
cs-method|exact: 'POST'
selection_indicators:
cs-uri-query|contains:
- 'login_userid='
cs-uri-query|contains:
- 'SLEEP('
condition: selection AND selection_indicators
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47966 | SQLi | PHP Timeclock 1.04 |
| CVE-2021-47966 | SQLi | login.php |
| CVE-2021-47966 | SQLi | login_userid parameter |
| CVE-2021-47966 | SQLi | time-based blind SQL injection |
| CVE-2021-47966 | SQLi | boolean-based blind SQL injection |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...