Time-Based SQL Injection Vulnerability in WP as SAML IDP
CVE-2024-9887

7.2HIGH

Key Information:

Vendor

WordPress
Status
Login Using WordPress Users ( WP As Saml Idp )
Vendor
CVE Published:
16 November 2024

What is CVE-2024-9887?

The Login using WordPress Users (WP as SAML IDP) plugin is exposed to a time-based SQL injection vulnerability through the ‘id’ parameter. This issue arises from insufficient escaping of user-supplied parameters and lack of proper SQL query preparation. Authenticated attackers with Administrator-level access or higher can exploit this vulnerability to inject additional SQL queries into existing queries, enabling unauthorized access to sensitive database information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Login using WordPress Users ( WP as SAML IDP ) * <= 1.15.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://github.com/GumGumZz/wordpress/blob/main/miniorang...
https://plugins.trac.wordpress.org/browser/miniorange-wp-...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lesor101
JSON
.