Unauthenticated SQL Injection Vulnerability in WP eCommerce Plugin
CVE-2024-1514

7.5HIGH

Key Information:

Vendor

Wordpress

Vendor
CVE Published:
28 February 2024

What is CVE-2024-1514?

The WP eCommerce plugin for WordPress exhibits a serious vulnerability that allows for execution of time-based blind SQL Injection attacks through the 'cart_contents' parameter. This flaw arises from inadequate escaping of user-supplied input, alongside a lack of necessary preparation for the existing SQL queries. As a result, this vulnerability empowers unauthenticated attackers to introduce arbitrary SQL queries into the existing ones, potentially leading to the unauthorized extraction of sensitive information stored in the database.

Affected Version(s)

WP eCommerce * <= 3.15.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Krzysztof ZajÄ…c
.
The Cyber Security Vulnerability Database.