SQL Injection Vulnerability in Hero Maps Premium Plugin for WordPress
CVE-2024-13781

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Hero Maps Premium
Vendor: CVE Published:; 7 March 2025

Summary

The Hero Maps Premium plugin for WordPress is susceptible to an SQL Injection vulnerability due to inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. This flaw allows authenticated attackers with Subscriber-level access or higher to inject additional SQL queries, potentially leading to the exposure of sensitive data from the database. This type of vulnerability poses significant risks, including data breaches and unauthorized access to critical information.

Affected Version(s)

Hero Maps Premium * <= 2.3.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/hero-maps-premium-responsive-...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Jan 28, 2025

Credit

Lucio Sá