Time-Based SQL Injection Vulnerability in WP Post Author Plugin
CVE-2024-8757

7.2HIGH

Key Information:

Vendor: Wordpress
Status: WP Post Author – Boost Your Blog's Engagement With Author Box, Social Links, Co-authors, Guest Authors, Post Rating System, And Custom User Registration Form Builder
Vendor: CVE Published:; 12 October 2024

Summary

The WP Post Author plugin for WordPress contains a vulnerability that allows authenticated users with Administrator-level access and above to exploit a time-based SQL Injection via the linked_user_id parameter. Due to insufficient escaping of user-supplied parameters and inadequate preparation in the SQL query, attackers can append additional SQL queries to extract sensitive information from the WordPress database. This vulnerability affects all versions of the WP Post Author plugin up to and including version 3.8.1, potentially leading to unauthorized data exposure.

Affected Version(s)

WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder * <= 3.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/GumGumZz/wordpress/blob/main/wp-post-a...

https://plugins.trac.wordpress.org/browser/wp-post-author...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 12, 2024
Vulnerability Reserved
Sep 12, 2024

Credit

Lesor101