CVE-2024-9130

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 27, 2024 / Updated: 53d ago

010
CVSS 7.2EPSS 0.11%High
CVE info copied to clipboard

Summary

The GiveWP – Donation Plugin and Fundraising Platform for WordPress contains a time-based SQL Injection vulnerability in the 'order' parameter. This affects all versions up to and including 3.16.1. The vulnerability is due to insufficient escaping of user-supplied parameters and lack of proper preparation of existing SQL queries. This vulnerability is present in the Legacy View mode.

Impact

This vulnerability allows authenticated attackers with GiveWP Manager-level access or higher to append additional SQL queries to existing queries. This can be exploited to extract sensitive information from the database. The potential impact is high for confidentiality, integrity, and availability of the affected system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in version 3.16.2 of the GiveWP plugin.

Mitigation

To mitigate this vulnerability, it is strongly recommended to update the GiveWP plugin to version 3.16.2 or later. If immediate updating is not possible, consider temporarily restricting access to the GiveWP Manager role and above, and disable the Legacy View mode if feasible. Additionally, implement strong access controls and monitor for any suspicious database queries or activities.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9130. See article

Sep 27, 2024 at 5:35 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 27, 2024 at 5:37 AM
CVE Assignment

NVD published the first details for CVE-2024-9130

Sep 27, 2024 at 6:15 AM
CVSS

A CVSS base score of 7.2 has been assigned.

Sep 27, 2024 at 6:20 AM / nvd
EPSS

EPSS Score was set to: 0.11% (Percentile: 44.1%)

Sep 28, 2024 at 9:21 AM
Static CVE Timeline Graph

Affected Systems

Givewp/givewp
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Update Sat Sep 28 14:32:32 UTC 2024
Update Sat Sep 28 14:32:32 UTC 2024
High - CVE-2024-9130 - The GiveWP – Donation Plugin and Fundraising...
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to...
CVE-2024-9130
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
SQL Injection Vulnerability in GiveWP's Donation Plugin
Webdevmattcrom - HIGH - CVE-2024-9130 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with GiveWP Manager-level access and above, to append additional SQL queries into already existing queries within the Legacy View mode, that can be used to extract sensitive information from the database.
CVE-2024-9130 - GiveWP SQL Injection Vulnerability
CVE ID : CVE-2024-9130 Published : Sept. 27, 2024, 6:15 a.m. 16 minutes ago Description : The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with GiveWP Manager-level access and above, to append additional SQL queries into already existing queries within the Legacy View mode, that can be used to extract sensitive information from the database. Severity: 7.2
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI