CVE-2024-27956

WordPress Automatic plugin <= 3.92.0 - Unauthenticated Arbitrary SQL Execution vulnerability

CVSS 9.9 CRITICALEPSS 94.0%CWE-89

In short

The WordPress Automatic plugin allows attackers to execute arbitrary SQL commands without needing to log in, potentially exposing or modifying sensitive database information. This happens because the plugin does not properly validate user input before using it in database queries.

Technical detail

CWE-89 SQL Injection vulnerability in Automatic plugin versions up to 3.92.0 allows unauthenticated attackers to inject malicious SQL commands through inadequately sanitized input parameters. Successful exploitation enables unauthorized database access, data exfiltration, or modification without requiring valid credentials.

Summary generated and translated by AI from the official description.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

Affected products

ValvePress · Automatic

public PoCs found — 16

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/articles/critical-vulnerabilities-patched-in-wordpress-automatic-plugin?_s_id=cve https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-sql-execution-vulnerability?_s_id=cve