Plattform
wordpress
Komponente
wpforo
Behoben in
2.3.4
CVE-2024-3200 is a critical SQL Injection vulnerability affecting the wpForo Forum plugin for WordPress. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject malicious SQL queries. Versions of wpForo Forum up to and including 2.3.3 are vulnerable. A patch is available in version 2.3.4.
The SQL Injection vulnerability in wpForo Forum arises from insufficient escaping of the 'slug' parameter within the 'wpforo' shortcode. An attacker can leverage this to append arbitrary SQL queries to existing database queries. Successful exploitation could lead to the extraction of sensitive data stored within the WordPress database, including user credentials, forum posts, and potentially other application data. Depending on the database schema and permissions, an attacker might even be able to modify or delete data, leading to a complete compromise of the WordPress site and its associated data. This vulnerability is particularly concerning given the popularity of WordPress and the potential for widespread exploitation.
CVE-2024-3200 was publicly disclosed on June 1, 2024. While no active exploitation campaigns have been definitively confirmed at the time of writing, the CRITICAL severity and the ease of exploitation (requiring only contributor access) suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the wpForo Forum plugin, particularly those with multiple users having contributor-level access or higher, are at significant risk. Shared hosting environments where multiple WordPress instances share the same database are also at increased risk, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "wpforo_get_forum_by_slug" /var/www/html/wp-content/plugins/wpforo/includes/• wordpress / composer / npm:
wp plugin list | grep wpforo• wordpress / composer / npm:
wp plugin update wpforo• generic web: Inspect the 'slug' parameter in the URL when using the 'wpforo' shortcode for unusual characters or SQL keywords.
disclosure
Exploit-Status
EPSS
1.03% (77% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-3200 is to immediately upgrade the wpForo Forum plugin to version 2.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the 'wpforo' shortcode's 'slug' parameter. Specifically, look for unusual characters or SQL keywords within the slug value. Additionally, review user roles and permissions to ensure that only authorized users have contributor access or higher. After upgrading, confirm the fix by attempting to inject a simple SQL query via the 'wpforo' shortcode and verifying that it is properly sanitized and does not result in an error or data leakage.
Actualice el plugin wpForo Forum a la versión 2.3.4 o superior. Esta versión corrige la vulnerabilidad de inyección SQL. Puede actualizar a través del panel de administración de WordPress o descargando la última versión desde el repositorio oficial.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-3200 is a critical SQL Injection vulnerability in the wpForo Forum plugin for WordPress, allowing attackers to inject SQL queries and potentially extract sensitive data.
Yes, if you are using wpForo Forum version 2.3.3 or earlier, you are vulnerable to this SQL Injection flaw.
Upgrade the wpForo Forum plugin to version 2.3.4 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official wpForo Forum website and WordPress plugin repository for updates and advisories related to CVE-2024-3200.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.