WordPress Simple HTML Sitemap Plugin Vulnerable to SQL Injection
CVE-2024-7385

7.2HIGH

Key Information:

Vendor: Wordpress
Status: WordPress Simple Html Sitemap
Vendor: CVE Published:; 25 September 2024

What is CVE-2024-7385?

The Simple HTML Sitemap plugin for WordPress is exposed to SQL Injection attacks due to inadequate parameter escaping on the 'id' parameter and a failure to properly prepare existing SQL queries. This vulnerability allows authenticated users with Administrator-level access and above to insert harmful SQL queries into valid ones, potentially leading to unauthorized exposure of sensitive database information. Website administrators should review their configurations and implement necessary updates to mitigate risks associated with this plugin.

Affected Version(s)

WordPress Simple HTML Sitemap * <= 3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-simple-html...

https://plugins.trac.wordpress.org/changeset/3155037/wp-s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2024
Vulnerability Reserved
Aug 1, 2024

Credit

anhchangmutrang

Wordpress

What is CVE-2024-7385?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit