SQL Injection Vulnerability in Frontend Admin Plugin for WordPress by DynamiApps
CVE-2024-11722
5.9MEDIUM
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 21 December 2024
What is CVE-2024-11722?
The Frontend Admin plugin developed by DynamiApps for WordPress is susceptible to a SQL Injection attack via the 'orderby' parameter. This vulnerability impacts all versions up to and including 3.25.1. It arises from insufficient escaping of user-supplied input and inadequate handling of the SQL query preparation. As a consequence, an unauthenticated attacker who has been granted permission to view form submissions can manage to inject additional SQL queries. This malicious manipulation could lead to the extraction of sensitive information from the database, whereby a shortcode that includes form submissions is added to a web page.
Affected Version(s)
Frontend Admin by DynamiApps * <= 3.25.1