SQL Injection Vulnerability in WP Sessions Time Monitoring Full Automatic
CVE-2024-49681

9.3CRITICAL

Key Information:

Vendor: WordPress
Status: WP Sessions Time Monitoring Full Automatic
Vendor: CVE Published:; 24 October 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in the WP Sessions Time Monitoring Full Automatic plugin developed by SWIT, stemming from improper neutralization of special elements utilized in SQL commands. This SQL Injection vulnerability could enable attackers to manipulate database queries, potentially leading to data exposure or corruption. The affected versions range from n/a to 1.0.9, which opens up attack vectors for malicious actors to exploit weaknesses in the plugin's code, thereby compromising the integrity and security of WordPress installations utilizing this and other affected products.

Affected Version(s)

WP Sessions Time Monitoring Full Automatic <= 1.0.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-49681
Created by RandomRobbieBF

References

https://patchstack.com/database/vulnerability/activitytim...

vdb-entry

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Nov 10, 2024
👾
Exploit known to exist
Nov 10, 2024
Vulnerability published
Oct 24, 2024
Vulnerability Reserved
Oct 17, 2024

Credit

stealthcopter (Patchstack Alliance)