Plattform
wordpress
Komponente
youzify
Behoben in
1.2.6
CVE-2024-4742 describes a critical SQL Injection vulnerability affecting the Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. This flaw allows authenticated attackers, even those with limited Contributor-level access, to inject malicious SQL queries. The vulnerability impacts versions of the plugin up to and including 1.2.5. A fix is available in subsequent versions; upgrading is the recommended solution.
The SQL Injection vulnerability in Youzify allows an attacker to manipulate database queries, potentially leading to unauthorized data access and modification. An attacker could extract sensitive information such as user credentials, personal data, or even critical configuration details stored within the WordPress database. Successful exploitation could also lead to data deletion or corruption, severely impacting the website's functionality and integrity. The relatively low access requirement (Contributor level) significantly broadens the potential attack surface, making many WordPress sites vulnerable. This vulnerability shares similarities with other SQL injection flaws where attackers can bypass authentication and gain elevated privileges.
CVE-2024-4742 was publicly disclosed on June 20, 2024. The vulnerability's CRITICAL CVSS score (9.8) indicates a high probability of exploitation. While no public proof-of-concept (PoC) has been widely publicized, the ease of exploitation and the plugin's popularity suggest that it is a likely target for malicious actors. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
WordPress websites utilizing the Youzify plugin, particularly those running versions 1.2.5 or earlier, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from others. Sites with weak password policies or inadequate user access controls are also at higher risk.
• wordpress / composer / npm:
grep -r "order_by shortcode attribute" /var/www/html/wp-content/plugins/youzify/• wordpress / composer / npm:
wp plugin list --status=active | grep youzify• wordpress / composer / npm:
wp plugin update youzify --all• generic web: Check WordPress plugin directory for updated version of Youzify.
disclosure
Exploit-Status
EPSS
0.63% (70% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-4742 is to upgrade the Youzify plugin to a version that addresses the vulnerability. Check the Youzify website or WordPress plugin repository for the latest version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the orderby shortcode attribute. Additionally, carefully review and sanitize all user inputs within the plugin to prevent further SQL injection vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple SQL query through the orderby parameter and verifying that it is properly sanitized and does not execute.
Actualice el plugin Youzify a la última versión disponible. La vulnerabilidad de inyección SQL ha sido corregida en versiones posteriores a la 1.2.5. Esto evitará que atacantes autenticados con nivel de Contribuidor o superior puedan ejecutar consultas SQL maliciosas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-4742 is a critical SQL Injection vulnerability in the Youzify WordPress plugin, affecting versions up to 1.2.5. It allows authenticated attackers to inject malicious SQL queries and potentially extract sensitive data.
You are affected if your WordPress site uses the Youzify plugin and is running version 1.2.5 or earlier. Check your plugin version immediately and upgrade if necessary.
Upgrade the Youzify plugin to the latest available version. If upgrading is not immediately possible, implement a WAF rule to filter malicious SQL injection attempts.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is a likely target for malicious actors. Continuous monitoring is advised.
Check the Youzify website and the WordPress plugin repository for the official advisory and updated version information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.