Plattform
wordpress
Komponente
mp-timetable
Behoben in
2.4.12
CVE-2024-3342 describes a SQL Injection vulnerability discovered in the Timetable and Event Schedule plugin by MotoPress for WordPress. This vulnerability allows authenticated attackers to inject malicious SQL queries, potentially leading to data breaches and unauthorized access. It affects versions of the plugin up to and including 2.4.11. A patch is available from the vendor.
The SQL Injection vulnerability lies within the 'events' attribute of the 'mp-timetable' shortcode. An attacker with contributor-level access or higher can craft a malicious shortcode that injects arbitrary SQL code into existing queries. This injected code can be used to extract sensitive information stored within the WordPress database, such as user credentials, event details, or other application data. The potential impact extends to complete compromise of the database, enabling attackers to modify, delete, or exfiltrate data. Successful exploitation could lead to significant data loss, reputational damage, and regulatory compliance issues.
CVE-2024-3342 was publicly disclosed on April 27, 2024. No public proof-of-concept (PoC) code has been widely released at the time of this writing, but the vulnerability's ease of exploitation suggests a high likelihood of PoC development and potential exploitation in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Given the plugin's popularity and the critical severity of the vulnerability, active exploitation is a significant concern.
WordPress websites utilizing the Timetable and Event Schedule plugin, particularly those with contributor-level users or higher, are at risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as an attacker compromising one site could potentially leverage this vulnerability to access data from other sites on the same server.
• wordpress / composer / npm:
grep -r "mp-timetable events='.*?'" /var/www/html/wp-content/plugins/timetable/shortcodes/• wordpress / composer / npm:
wp plugin list --status=active | grep timetable• wordpress / composer / npm:
wp plugin update timetable• generic web: Inspect WordPress plugin files for unsanitized user input in the 'mp-timetable' shortcode.
Disclosure
Exploit-Status
EPSS
0.31% (54% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-3342 is to immediately upgrade the Timetable and Event Schedule plugin to a version patched against this vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider restricting access to the 'mp-timetable' shortcode to authorized users only. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting the shortcode parameter can provide an additional layer of defense. Monitor WordPress logs for suspicious SQL queries or database activity.
Actualice el plugin Timetable and Event Schedule by MotoPress a la última versión disponible. La versión 2.4.12 o superior corrige esta vulnerabilidad de inyección SQL.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-3342 is a critical SQL Injection vulnerability affecting the MotoPress Timetable and Event Schedule plugin for WordPress, allowing attackers to extract data.
You are affected if you are using the plugin version 2.4.11 or earlier. Check your plugin version and upgrade immediately.
Upgrade the plugin to the latest version available from the MotoPress website or WordPress plugin repository.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high risk of exploitation.
Refer to the MotoPress website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.