SQL Injection Vulnerability in WP-Recall Plugin for WordPress
CVE-2024-9770

4.7MEDIUM

Key Information:

Vendor: WordPress
Status: WP-recall
Vendor: CVE Published:; 25 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WP-Recall plugin for WordPress prior to version 16.26.12 contains a vulnerability that allows attackers to execute SQL injection attacks. This occurs due to a failure to properly sanitize and escape user-supplied input in SQL statements. Consequently, administrators could be manipulated into executing arbitrary SQL commands, potentially leading to unauthorized database access and data breaches.

Affected Version(s)

WP-Recall 0 < 16.26.12

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9770 - Proof of Concept

References

https://wpscan.com/vulnerability/d31f8713-b807-4ac4-8897-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Mar 25, 2025
👾
Exploit known to exist
Mar 25, 2025
Vulnerability published
Mar 25, 2025
Vulnerability Reserved
Oct 9, 2024

Credit

y4ng0615

WPScan