CVE-2024-8621

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 25, 2024 / Updated: 56d ago

010
CVSS 6.5EPSS 0.06%Medium
CVE info copied to clipboard

Summary

The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26. This vulnerability is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. It affects authenticated attackers with Contributor-level access and above, allowing them to append additional SQL queries to extract sensitive information from the database.

Impact

This vulnerability allows authenticated attackers with Contributor-level access or higher to perform SQL injection attacks. The potential impacts are severe: 1. Data Breach: Attackers can extract sensitive information from the database, potentially accessing user credentials, personal information, or other confidential data stored in the WordPress database. 2. Data Manipulation: The ability to inject SQL commands could allow attackers to modify or delete database contents, compromising the integrity of the website. 3. Privilege Escalation: Depending on the database structure and permissions, attackers might be able to elevate their privileges within the WordPress installation. 4. System Compromise: In some cases, SQL injection can lead to broader system access, potentially compromising the entire web server. The CVSS v3.1 base score of 6.5 indicates that this vulnerability has a medium severity, with a high potential impact on confidentiality.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects "all versions up to, and including, 2024.08.26" of the Daily Prayer Time plugin for WordPress, it is likely that a patched version has been or will be released after this date. Website administrators should check for updates to the plugin and apply them as soon as they become available.

Mitigation

1. Update the Daily Prayer Time plugin: As soon as a patched version becomes available, update to the latest version of the plugin. 2. Temporary Deactivation: If an update is not immediately available, consider temporarily deactivating the Daily Prayer Time plugin until a secure version is released. 3. Access Control: Limit the number of users with Contributor-level access or higher, and regularly audit user permissions. 4. Web Application Firewall (WAF): Implement or configure a WAF to help detect and block SQL injection attempts. 5. Input Validation: If possible, implement additional server-side input validation and sanitization for the 'max_word' parameter in the 'quran_verse' shortcode. 6. Database Hardening: Ensure that database user accounts used by WordPress have minimal necessary privileges. 7. Regular Security Audits: Conduct regular security audits of your WordPress installation and all installed plugins. 8. Monitoring: Implement robust logging and monitoring to detect any suspicious database queries or activities.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8621. See article

Sep 24, 2024 at 3:52 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 3:53 PM
CVE Assignment

NVD published the first details for CVE-2024-8621

Sep 25, 2024 at 3:15 AM
CVSS

A CVSS base score of 9.9 has been assigned.

Sep 25, 2024 at 3:16 AM / nvd
EPSS

EPSS Score was set to: 0.06% (Percentile: 24%)

Sep 25, 2024 at 9:39 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152242)

Sep 26, 2024 at 7:53 AM
Threat Intelligence Report

CVE-2024-8621 is a critical vulnerability in the Daily Prayer Time plugin for WordPress, with a CVSS score of 9.8, allowing authenticated attackers to exploit SQL Injection through the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to and including 2024.08.26, potentially leading to the extraction of sensitive database information. The summary does not provide information on whether the vulnerability is being exploited in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on other vendors or technologies. See article

Sep 27, 2024 at 5:36 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 2, 2024 at 4:15 PM / nvd
Static CVE Timeline Graph

Affected Systems

Mmrs151/daily_prayer_time
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 38 - SANS Institute
Product: Apache HugeGraph-Server CVSS Score: 0 ** KEV since 2024-09-18 ** NVD: ISC Podcast: CVE-2024-7120 - Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90 are vulnerable to critical os command injection via manipulation of the argument template in the Web Interface component's list_base_config.php file, allowing for remote attacks with publicly disclosed exploit potential (VDB-272451). Product: Ivanti Endpoint Manager Cloud Services Appliance CVSS Score: 9.1 ** KEV since 2024-09-19 ** NVD: ISC Podcast: NVD References: CVE-2024-9043 - Cellopoint's Secure Email Gateway is vulnerable to buffer overflow in authentication allowing remote attackers to crash the process and gain admin privileges.

News

Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom–GiveWP Donation Plugin and Fundraising Platform The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like ‘give_title’ and ‘card_address’. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase–Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a–n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
Update Sun Oct 13 14:25:38 UTC 2024
Update Sun Oct 13 14:25:38 UTC 2024
Web Application Detections Published in September 2024
In September, Qualys released QIDs targeting vulnerabilities in several widely-used software products, including WordPress, Tiki Wiki CMS, Apache HTTP Server, XWiki, Apache OFBiz, Lunary-ai, GitLab, Adobe ColdFusion, Moodle CMS, Zimbra, JBoss EAP, Kibana, Drupal, Ivanti Endpoint Manager (EPM), Apache Tomcat, Joomla!, Nginx, Open Secure Sockets Layer (OpenSSL). Customers can get more details about the following QIDs in our knowledge base. Customers should review their reports for these detections. If any of the following are reported against their applications scanned, customers should follow the steps mentioned in the solution to ensure their systems are protected against the identified vulnerabilities. QID Title 152148 WordPress WPML Plugin: Remote Code Execution Vulnerability (CVE-2024-6386) 152150 WordPress Bit Form Plugin: SQL Injection Vulnerability (CVE-2024-7702) 152151 WordPress Bit Form Plugin: Arbitrary File Read And Delete Vulnerability (CVE-2024-7777) 152157 WordPress LiquidPoll Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7134) 152158 WordPress GEO my WP Plugin: Local File Inclusion Vulnerability (CVE-2024-6330) 152159 WordPress AI Engine Plugin:
Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase--Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a--n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
Multiple Critical Vulnerabilities in WordPress (CVE-2024-8621, CVE-2024-8514, CVE ... - TZ-CERT
Overview. WordPress is vulnerable to critical vulnerabilities . Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute ...
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI