Plattform
wordpress
Komponente
wp-e-commerce
Behoben in
3.15.2
A critical SQL Injection vulnerability (CVE-2024-1514) has been identified in the WP eCommerce plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries through the 'cart_contents' parameter, potentially leading to unauthorized data extraction. The vulnerability affects versions up to and including 3.15.1. A patch is available from the vendor.
The SQL Injection vulnerability in WP eCommerce allows attackers to bypass authentication and directly manipulate database queries. Successful exploitation could result in the extraction of sensitive information, including user credentials, customer data, order details, and potentially even database schema information. An attacker could use this information to gain complete control over the WordPress site, modify data, or even delete the entire database. The impact is particularly severe given the plugin's potential use in handling financial transactions and sensitive customer information. This vulnerability shares similarities with other SQL Injection exploits where attackers leverage parameter manipulation to gain unauthorized access.
CVE-2024-1514 was publicly disclosed on February 28, 2024. While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. No KEV listing is currently available. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Websites utilizing the WP eCommerce plugin, particularly those handling sensitive customer data or financial transactions, are at significant risk. Shared hosting environments where multiple WordPress sites share the same database are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "cart_contents =" /var/www/html/wp-content/plugins/wp-e-commerce/• generic web:
curl -I 'https://your-wordpress-site.com/?cart_contents='; # Check for SQL injection indicators in the response headersdisclosure
Exploit-Status
EPSS
0.55% (68% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-1514 is to immediately upgrade the WP eCommerce plugin to a version that includes the security patch. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by adding input validation and sanitization to the 'cartcontents' parameter. Web Application Firewalls (WAFs) can be configured with rules to detect and block SQL Injection attempts targeting this parameter. Monitor WordPress access logs for suspicious SQL queries related to the 'cartcontents' parameter.
Actualice el plugin WP eCommerce a la última versión disponible. La vulnerabilidad de inyección SQL se ha corregido en versiones posteriores a la 3.15.1. Asegúrese de mantener sus plugins actualizados para evitar posibles problemas de seguridad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-1514 is a critical SQL Injection vulnerability affecting WP eCommerce plugin versions up to 3.15.1, allowing attackers to extract data via the 'cart_contents' parameter.
If you are using WP eCommerce plugin version 3.15.1 or earlier, you are vulnerable to this SQL Injection attack. Check your plugin version immediately.
Upgrade the WP eCommerce plugin to the latest version that includes the security patch. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target for attackers. Monitor your systems closely.
Refer to the official WP eCommerce website and WordPress security announcements for the latest advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.