AWeber Plugin Vulnerable to SQL Injection, Puts Sensitive Data at Risk
CVE-2024-1793

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Aweber – Free Sign Up Form And Landing Page Builder Plugin For Lead Generation And Email Newsletter Growth
Vendor: CVE Published:; 13 March 2024

Summary

The AWeber – Free Sign Up Form and Landing Page Builder Plugin for WordPress is susceptible to a SQL Injection vulnerability through the 'post_id' parameter. This issue arises from inadequate escaping of user-supplied parameters and insufficient preparation in the SQL query. Authenticated attackers with administrator-level access can exploit this weakness to inject additional SQL commands into existing queries, potentially accessing and extracting sensitive information from the database, thereby compromising the security of users' data and the integrity of the application.

Affected Version(s)

AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth * <= 7.3.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/aweber-web-for...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Feb 22, 2024

Credit

Kunal Sharma

Akshay Kumar