SQL Injection Vulnerability in FULL – Cliente WordPress Plugin by FULL
CVE-2024-12023

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Full – Cliente
Vendor: CVE Published:; 2 May 2025

What is CVE-2024-12023?

The FULL – Cliente plugin for WordPress is vulnerable to an SQL Injection attack via the 'formId' parameter. This vulnerability arises from inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries. Authenticated attackers, with Subscriber-level access and higher, can exploit this weakness when the PRO version of the plugin is active, alongside the Elementor Pro and Elementor CRM plugins. The exploitation allows attackers to inject malicious SQL commands, potentially exposing sensitive information stored in the database.

Affected Version(s)

FULL – Cliente * <= 3.1.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/full-customer/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2025
Vulnerability Reserved
Dec 2, 2024

Credit

Kenneth Dunn