Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in postMash - custom post order
CVE-2024-25927

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Postmash – Custom Post Order
Vendor: CVE Published:; 28 February 2024

Summary

A SQL Injection vulnerability in the postMash – Custom Post Order plugin, developed by Joel Starnes, allows attackers to manipulate SQL queries. This vulnerability affects versions from n/a through 1.2.0, potentially enabling unauthorized access to sensitive database information. Proper sanitization of user inputs is crucial to prevent exploitation, as attackers could exploit the flaw to execute arbitrary SQL code, leading to data exposure or modification.

Affected Version(s)

postMash – custom post order <= 1.2.0

References

https://patchstack.com/database/vulnerability/postmash/wo...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2024
Vulnerability Reserved
Feb 12, 2024

Credit

Dimas Maulana (Patchstack Alliance)