SQL Injection Vulnerability in Frontend Admin Plugin for WordPress by DynamiApps
CVE-2024-11722

5.9MEDIUM

Key Information:

Vendor: Wordpress
Status: Frontend Admin By Dynamiapps
Vendor: CVE Published:; 21 December 2024

Summary

The Frontend Admin plugin developed by DynamiApps for WordPress is susceptible to a SQL Injection attack via the 'orderby' parameter. This vulnerability impacts all versions up to and including 3.25.1. It arises from insufficient escaping of user-supplied input and inadequate handling of the SQL query preparation. As a consequence, an unauthenticated attacker who has been granted permission to view form submissions can manage to inject additional SQL queries. This malicious manipulation could lead to the extraction of sensitive information from the database, whereby a shortcode that includes form submissions is added to a web page.

Affected Version(s)

Frontend Admin by DynamiApps * <= 3.25.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acf-frontend-f...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 21, 2024
Vulnerability Reserved
Nov 25, 2024

Credit

Max Boll