SQL Injection Vulnerability in WP Data Access Plugin for WordPress
CVE-2024-12428

7.5HIGH

Key Information:

Vendor: Wordpress
Status: WP Data Access – App, Table, Form And Chart Builder Plugin
Vendor: CVE Published:; 25 December 2024

Summary

The WP Data Access Plugin for WordPress has a vulnerability that enables SQL Injection through the 'order[user_login][dir]' parameter in all releases up to version 5.5.22. This arises from inadequate escaping of user-supplied data and a failure to properly prepare the existing SQL queries. An attacker without authentication can exploit this flaw to inject additional SQL commands into existing queries, potentially allowing them to access sensitive information within the database. Website administrators are advised to update to version 5.5.23 or above to mitigate this security risk.

Affected Version(s)

WP Data Access – App, Table, Form and Chart Builder plugin * <= 5.5.22

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3210150/wp-d...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 25, 2024
Vulnerability Reserved
Dec 10, 2024

Credit

Michael Mazzolini