Time-Based SQL Injection Vulnerability in WordPress Plugin
CVE-2024-7607
8.8HIGH
Summary
The Front End Users plugin for WordPress is susceptible to time-based SQL Injection due to inadequate escaping of the user-supplied ‘order’ parameter, impacting all versions up to and including 3.2.28. Authenticated users with Contributor-level access or above can exploit this vulnerability to inject additional SQL queries into existing ones. This could lead to unauthorized access to sensitive database information, posing significant risks to the integrity and confidentiality of user data.
Affected Version(s)
Front End Users * <= 3.2.28
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Peter Thaleikis