Platform
wordpress
Component
woo-payment-gateway-for-piraeus-bank
Fixed in
1.6.6
CVE-2024-0610 describes a time-based blind SQL Injection vulnerability discovered in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration. The vulnerability impacts versions up to and including 1.6.5.1. A patch is expected from the vendor.
The SQL Injection vulnerability in the Piraeus Bank WooCommerce Payment Gateway allows attackers to bypass authentication and directly manipulate database queries. By injecting carefully crafted SQL statements through the 'MerchantReference' parameter, an attacker can extract sensitive information stored within the database. This could include customer data, transaction details, and potentially even administrative credentials. Successful exploitation could lead to significant data breaches and compromise the integrity of the entire WooCommerce store. The blind nature of the injection means attackers must use time-based techniques to extract data, but this does not significantly reduce the risk.
CVE-2024-0610 was publicly disclosed on February 17, 2024. While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.48% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-0610 is to immediately upgrade the Piraeus Bank WooCommerce Payment Gateway plugin to a patched version when available. Until a patch is released, consider disabling the plugin entirely to prevent potential exploitation. As a temporary workaround, implement strict input validation and sanitization on the 'MerchantReference' parameter, ensuring that only expected characters are allowed. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide an additional layer of defense. Monitor WordPress access logs for suspicious SQL queries related to the plugin.
Update the Piraeus Bank WooCommerce Payment Gateway plugin to the latest available version. The SQL Injection vulnerability was fixed in versions later than 1.6.5.1. Refer to the plugin page in the WordPress repository for the most recent version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0610 is a critical SQL Injection vulnerability affecting the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress versions up to 1.6.5.1, allowing attackers to extract sensitive data.
If you are using the Piraeus Bank WooCommerce Payment Gateway plugin and are running a version equal to or less than 1.6.5.1, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of the Piraeus Bank WooCommerce Payment Gateway plugin as soon as it becomes available. Until then, disable the plugin or implement input validation.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high risk of exploitation.
Refer to the official Piraeus Bank WooCommerce Payment Gateway plugin documentation and WordPress security announcements for updates and advisories related to CVE-2024-0610.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.