Unauthenticated SQL Injection Vulnerability in Piraeus Bank WooCommerce Payment Gateway Plugin
CVE-2024-0610

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Piraeus Bank WooCommerce Payment Gateway
Vendor: CVE Published:; 17 February 2024

What is CVE-2024-0610?

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is subject to a time-based blind SQL injection vulnerability. This issue arises from inadequate escaping of user-supplied parameters, particularly the 'MerchantReference' parameter. Versions of the plugin up to and including 1.6.5.1 lack sufficient preparation for the SQL queries, allowing unauthenticated attackers to inject additional SQL statements. Consequently, this could lead to the unauthorized extraction of sensitive data from the database, posing significant risks to data integrity and security.

Affected Version(s)

Piraeus Bank WooCommerce Payment Gateway * <= 1.6.5.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2024
Vulnerability Reserved
Jan 16, 2024

Credit

Francesco Carlucci