WordPress Simple HTML Sitemap Plugin Vulnerable to SQL Injection
CVE-2024-7385

9.1CRITICAL

Key Information:

Vendor: WordPress
Status: WP Simple Html Sitemap
Vendor: CVE Published:; 25 September 2024

What is CVE-2024-7385?

The Simple HTML Sitemap plugin for WordPress is exposed to SQL Injection attacks due to inadequate parameter escaping on the 'id' parameter and a failure to properly prepare existing SQL queries. This vulnerability allows authenticated users with Administrator-level access and above to insert harmful SQL queries into valid ones, potentially leading to unauthorized exposure of sensitive database information. Website administrators should review their configurations and implement necessary updates to mitigate risks associated with this plugin.

Affected Version(s)

WP Simple HTML Sitemap 0 <= 3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-simple-html...

https://plugins.trac.wordpress.org/changeset/3155037/wp-s...

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2024
Vulnerability Reserved
Aug 1, 2024

Credit

anhchangmutrang

CVE-2024-7385 Data

JSON