SQL Injection Vulnerability in Directory Kit Plugin for WordPress
CVE-2024-3217
Currently unrated
Summary
The WP Directory Kit plugin, used in WordPress websites, is exposed to a SQL injection vulnerability caused by improper escaping of user-supplied parameters, specifically 'attribute_value' and 'attribute_id'. This exploitation allows authenticated attackers with subscriber-level access or higher to inject additional SQL queries into existing database queries, jeopardizing sensitive database information. As a consequence, it is critical for users of the plugin to assess their installations and apply appropriate updates or mitigations to enhance security.
References
Timeline
Vulnerability published