SQL Injection Vulnerability in WordPress REST API
CVE-2024-8484

7.5HIGH

Key Information:

Vendor

WordPress
Status
Rest Api To Miniprogram
Vendor
CVE Published:
25 September 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 88%

What is CVE-2024-8484?

A vulnerability exists in the REST API TO MiniProgram plugin for WordPress, affecting versions up to and including 4.7.1. This vulnerability is attributed to insufficient escaping of user-supplied input in the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint. As a consequence, unauthenticated attackers can inject additional SQL queries into the existing database queries, potentially leading to unauthorized access and extraction of sensitive data from the database.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

REST API TO MiniProgram * <= 4.7.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8484
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/rest-api-to-mi...

EPSS Score

88% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

JSON
.