SQL Injection Vulnerability in Wallet for WooCommerce Plugin
CVE-2024-6353

8.8HIGH

Key Information:

Vendor: WordPress
Status: Wallet For WooCommerce
Vendor: CVE Published:; 12 July 2024

What is CVE-2024-6353?

The Wallet for WooCommerce plugin for WordPress has a SQL Injection vulnerability due to improper handling of the 'search[value]' parameter in all versions up to and including 1.5.4. This flaw stems from insufficient escaping of user-supplied inputs and a lack of adequate preparation within the SQL query. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability. Once exploited, they can inject additional SQL queries into existing ones, potentially allowing them to access and extract sensitive information stored in the database.

Affected Version(s)

Wallet for WooCommerce 0 <= 1.5.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woo-wallet/tru...

https://wordpress.org/plugins/woo-wallet/#developers

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2024
Vulnerability Reserved
Jun 26, 2024

Credit

1337_Wannabe

CVE-2024-6353 Data

JSON