SQL Injection Vulnerability in Advanced Floating Content Plugin for WordPress
CVE-2024-12031

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Advanced Floating Content
Vendor: CVE Published:; 24 December 2024

Summary

The Advanced Floating Content plugin for WordPress is susceptible to SQL injection attacks through the 'floating_content_duplicate_post' function present in all versions up to and including 3.8.2. This vulnerability arises from improper handling of user-supplied parameters, leading to insufficient escaping and inadequate preparation of SQL queries. As a result, authenticated attackers with subscriber-level access or higher can inject additional SQL commands into existing queries, compromising the confidentiality and integrity of sensitive data stored in the database. It is crucial for users of the plugin to apply necessary security measures and updates to protect against potential exploitation.

Affected Version(s)

Advanced Floating Content * <= 3.8.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/advanced-floating-content/994...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Dec 2, 2024

Credit

Thái An