SQL Injection Vulnerability in Cost Calculator Builder WordPress Plugin
CVE-2024-8379

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Cost Calculator Builder
Vendor: CVE Published:; 30 September 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Cost Calculator Builder plugin for WordPress has a vulnerability that arises from improper sanitization and escaping of a parameter prior to its use in an SQL statement. This flaw allows authenticated users with a role as low as Admin to exploit the underlying SQL injection, potentially leading to unauthorized access or manipulation of the database. Developers and site administrators should take immediate action to update the plugin to version 3.2.29 or later to mitigate this risk.

Affected Version(s)

Cost Calculator Builder 0 < 3.2.29

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8379 - Proof of Concept

References

https://wpscan.com/vulnerability/a3463d5a-8215-4958-a6c0-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 30, 2024
👾
Exploit known to exist
Sep 30, 2024
Vulnerability published
Sep 30, 2024
Vulnerability Reserved
Sep 2, 2024

Credit

WPScan