Time-Based SQL Injection Vulnerability in Google Tag Manager for WooCommerce Plugin
CVE-2024-0786

6.5MEDIUM

Key Information:

Vendor

Wordpress
Status
Conversios – Google Analytics 4 (ga4), Meta Pixel & More Via Google Tag Manager For WooCommerce
Vendor
CVE Published:
28 February 2024

What is CVE-2024-0786?

The Conversios plugin for Google Analytics 4, Meta Pixel, and WooCommerce is susceptible to a time-based SQL Injection vulnerability through the 'ee_syncProductCategory' function. This issue arises from inadequate escaping of user-provided parameters such as 'conditionData', 'valueData', 'productArray', 'exclude', and 'include'. Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by injecting additional SQL queries into existing queries, potentially leading to the extraction of sensitive database information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce * <= 6.9.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/enhanced-e-com...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maksim Kosenko
JSON
.