SQL Injection Vulnerability in MotoPress Timetable Plugin Affects Sensitive Data
CVE-2024-3342

9.9CRITICAL

Key Information:

Vendor: Wordpress
Status: Timetable And Event Schedule By Motopress
Vendor: CVE Published:; 27 April 2024

Summary

The Timetable and Event Schedule by MotoPress plugin for WordPress is susceptible to SQL Injection through the 'events' attribute of the 'mp-timetable' shortcode. This vulnerability exists in all versions up to and including 2.4.11 due to inadequate escaping of user-supplied parameters and insufficient safeguards in the SQL query construction. Authenticated attackers with contributor-level access can exploit this vulnerability to insert additional SQL queries, potentially leading to the unauthorized extraction of sensitive data from the database.

Affected Version(s)

Timetable and Event Schedule by MotoPress * <= 2.4.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3077596/mp-t...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 27, 2024
Vulnerability Reserved
Apr 4, 2024

Credit

Krzysztof Zając