Blind Time-Based SQL Injection Vulnerability Affects Blogger Plugin
CVE-2024-10645

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Blogger 301 Redirect
Vendor: CVE Published:; 16 November 2024

Summary

The Blogger 301 Redirect plugin for WordPress is subject to a vulnerability that allows blind time-based SQL injection through improper handling of the ‘br’ parameter. This vulnerability exists in all versions up to and including 2.5.3 due to insufficient escaping of user-supplied parameters and lack of adequate preparation in the SQL queries. An attacker, without needing authentication, can potentially manipulate the SQL queries, paving the way for unauthorized access to sensitive database information. Website administrators are urged to apply the appropriate updates to mitigate this risk.

Affected Version(s)

Blogger 301 Redirect * <= 2.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/blogger-301-re...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 16, 2024
Vulnerability Reserved
Oct 31, 2024

Credit

Kenneth Dunn