SQL Injection Vulnerability in WP Data Access Plugin for WordPress
CVE-2024-12428
7.5HIGH
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 25 December 2024
What is CVE-2024-12428?
The WP Data Access Plugin for WordPress has a vulnerability that enables SQL Injection through the 'order[user_login][dir]' parameter in all releases up to version 5.5.22. This arises from inadequate escaping of user-supplied data and a failure to properly prepare the existing SQL queries. An attacker without authentication can exploit this flaw to inject additional SQL commands into existing queries, potentially allowing them to access sensitive information within the database. Website administrators are advised to update to version 5.5.23 or above to mitigate this security risk.
Affected Version(s)
WP Data Access – App, Table, Form and Chart Builder plugin * <= 5.5.22