CVE-2024-0566

Smart Manager < 8.28.0 - Admin+ SQL Injection

CVSS 7.2 HIGHEPSS 3.3%

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.2EPSS 3.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

12 Feb 2024Published on NVD

09 May 2024Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

Unknown · Smart Manager

public PoCs found — 3

githubgithub.com/xbz0n/CVE-2024-0566★ 1 cve_referencewpscan.com/vulnerability/ca83db95-4a08-4615-aa8d-016022404c32/unverified exploitdbwww.exploit-db.com/exploits/52247unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/ca83db95-4a08-4615-aa8d-016022404c32/