Exploit
CVE-2024-9156

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 7.5EPSS 0.04%High
CVE info copied to clipboard

Summary

The TI WooCommerce Wishlist WordPress plugin through version 2.8.2 contains a SQL Injection vulnerability. This is due to insufficient escaping of user-supplied parameters and lack of proper preparation of existing SQL queries. As a result, unauthenticated attackers can append additional SQL queries to existing ones, potentially extracting sensitive information from the database.

Impact

This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive data stored in the WordPress database. This could include user credentials, personal information, or other confidential data depending on what is stored in the affected database. The CVSS base score of 7.5 (High) indicates a significant risk, with the potential for a high impact on data confidentiality. The attack vector is network-based, requires low complexity, and no user interaction, making it relatively easy for attackers to exploit.

Exploitation

One proof-of-concept exploit is available on wpscan.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects versions through 2.8.2 of the TI WooCommerce Wishlist plugin, it's likely that an update beyond this version would include a fix. The security team should check for the latest version of the plugin and update if a newer version is available.

Mitigation

1. Update the TI WooCommerce Wishlist plugin to a version newer than 2.8.2 if available. 2. If an update is not available, consider temporarily disabling the plugin until a patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts. 4. Regularly audit and monitor database access logs for any suspicious activities. 5. Ensure that the principle of least privilege is applied to database users associated with the WordPress installation. 6. Consider using prepared statements or parameterized queries in custom code interacting with the database to prevent SQL injection vulnerabilities. 7. Regularly backup the WordPress database to ensure quick recovery in case of a successful attack.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9156

Oct 10, 2024 at 6:15 AM
First Article

Feedly found the first article mentioning CVE-2024-9156. See article

Oct 10, 2024 at 6:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 6:21 AM
CVSS

A CVSS base score of 5.9 has been assigned.

Oct 10, 2024 at 3:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 11, 2024 at 11:20 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 15, 2024 at 2:45 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 15, 2024 at 5:12 PM
Static CVE Timeline Graph

Affected Systems

Templateinvaders/ti_woocommerce_wishlist
+null more

Exploits

https://wpscan.com/vulnerability/e95974f9-1f68-4181-89b0-3559d61cfa93/
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

WordPress Vulnerability & Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
CVE-2024-9156 Exploit
CVE Id : CVE-2024-9156 Published Date: 2024-10-15T14:40:00+00:00 The TI WooCommerce Wishlist WordPress plugin through 2.8.2 is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. inTheWild added a link to an exploit: https://wpscan.com/vulnerability/e95974f9-1f68-4181-89b0-3559d61cfa93/
NA - CVE-2024-9156 - The TI WooCommerce Wishlist WordPress plugin...
The TI WooCommerce Wishlist WordPress plugin through 2.8.2 is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI