SQL Injection Vulnerability in WordPress HelpDesk & Support Plugin
CVE-2024-0594

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Awesome Support – WordPress Helpdesk & Support Plugin
Vendor: CVE Published:; 10 February 2024

What is CVE-2024-0594?

The Awesome Support – WordPress HelpDesk & Support Plugin is susceptible to union-based SQL Injection through the 'q' parameter of the wpas_get_users action. This vulnerability arises from inadequate escaping of user-supplied inputs and insufficient preparation within the SQL query. Authenticated attackers with subscriber-level access and above can exploit this flaw to inject additional SQL commands surrounding existing queries, thereby gaining access to sensitive data stored in the database. Users of all versions up to and including 6.1.7 are at risk, prompting urgent attention to mitigate potential data breaches.

Affected Version(s)

Awesome Support – WordPress HelpDesk & Support Plugin * <= 6.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/awesome-suppor...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2024
Vulnerability Reserved
Jan 16, 2024

Credit

Krzysztof Zając

Wordpress

What is CVE-2024-0594?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit