SQL Injection Vulnerability in WP ULike Marketing Toolkit Plugin
CVE-2024-1797
8.8HIGH
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 2 May 2024
What is CVE-2024-1797?
The WP ULike – Most Advanced WordPress Marketing Toolkit plugin for WordPress is susceptible to SQL Injection vulnerabilities through the 'status' and 'id' parameters in the 'wp_ulike_counter' and 'wp_ulike' shortcodes. This vulnerability affects all versions up to and including 4.6.9, stemming from inadequate parameter escaping and poor SQL query preparation. Consequently, authenticated users with contributor-level access can inject arbitrary SQL queries into existing queries, potentially leading to the extraction of sensitive information from the database.
Affected Version(s)
WP ULike – Most Advanced WordPress Marketing Toolkit * <= 4.6.9