CVE-2021-47909
Published: 01 February 2026
Summary
CVE-2021-47909 is a high-severity SQL Injection (CWE-89) vulnerability in Vulnerability Lab (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-47909 involves multiple SQL injection vulnerabilities (CWE-89) in Mult-E-Cart Ultimate version 2.4. These flaws affect the inventory, customer, vendor, and order modules, where the 'id' parameter fails to properly sanitize user input, enabling injection of malicious SQL commands. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), highlighting its high severity due to network accessibility and low prerequisite privileges.
Attackers with privileged vendor or admin roles can exploit these issues remotely without user interaction. By manipulating the vulnerable 'id' parameter, they can execute arbitrary SQL commands, compromising the database management system through unauthorized data extraction, modification, or other integrity violations, achieving high confidentiality and integrity impacts.
Advisories from VulnCheck (https://www.vulncheck.com/advisories/mult-e-cart-ultimate-sql-injection-via-vulnerable-id-parameters) and Vulnerability Lab (https://www.vulnerability-lab.com/get_content.php?id=2306) detail the issues, while vendor resources at https://ultimate.multecart.com/ and https://www.techraft.in/ may provide further guidance on patches or mitigations. Security practitioners should review these for specific remediation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34761
Vulnerability details
Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a publicly accessible web application directly enables remote exploitation of the app (T1190) for DB compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires input validation and sanitization of parameters like 'id' to prevent SQL injection exploitation in affected modules.
Mandates timely identification, reporting, and correction of software flaws such as the SQL injection vulnerabilities in Mult-E-Cart Ultimate 2.4.
Facilitates vulnerability scanning to identify SQL injection flaws like those in the 'id' parameter before privileged attackers can exploit them.