Secure Your Database from SQL Injection Vulnerabilities
CVE-2024-8621
6.5MEDIUM
Summary
The Daily Prayer Time plugin for WordPress has a security flaw allowing SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode. This vulnerability arises from inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. Authenticated attackers with Contributor-level access or higher can exploit this issue to inject additional SQL queries. The exploitation may lead to unauthorized access to sensitive data stored within the database, putting user and site information at risk. Immediate action is advised to mitigate potential exploits.
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published