CVE-2024-9874

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Nov 9, 2024 / Updated: 10d ago

010
CVSS 4.9EPSS 0.08%Medium
CVE info copied to clipboard

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9874. See article

Nov 9, 2024 at 12:30 AM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 9, 2024 at 12:31 AM
CVE Assignment

NVD published the first details for CVE-2024-9874

Nov 9, 2024 at 7:15 AM
CVSS

A CVSS base score of 4.9 has been assigned.

Nov 9, 2024 at 7:20 AM / nvd
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 9, 2024 at 7:33 AM
EPSS

EPSS Score was set to: 0.08% (Percentile: 35.4%)

Nov 10, 2024 at 10:24 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Medium - CVE-2024-9874 - The Poll Maker – Versus Polls, Anonymous Polls,...
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6...
CVE-2024-9874
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
CVE-2024-9874 - "WordPress Poll Maker SQL Injection Vulnerability"
CVE ID : CVE-2024-9874 Published : Nov. 9, 2024, 7:15 a.m. 48 minutes ago Description : The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Severity: 4.9
CVE-2024-9874
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
WordPress Poll Maker Plugin <= 5.4.6 - Authenticated (Administrator+) Time-Based SQL Injection
Ays-pro - MEDIUM - CVE-2024-9874 The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI