Platform
wordpress
Component
wp-e-commerce
Fixed in
3.15.2
A critical SQL Injection vulnerability (CVE-2024-1514) has been identified in the WP eCommerce plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries through the 'cart_contents' parameter, potentially leading to unauthorized data extraction. The vulnerability affects versions up to and including 3.15.1. A patch is available from the vendor.
The SQL Injection vulnerability in WP eCommerce allows attackers to bypass authentication and directly manipulate database queries. Successful exploitation could result in the extraction of sensitive information, including user credentials, customer data, order details, and potentially even database schema information. An attacker could use this information to gain complete control over the WordPress site, modify data, or even delete the entire database. The impact is particularly severe given the plugin's potential use in handling financial transactions and sensitive customer information. This vulnerability shares similarities with other SQL Injection exploits where attackers leverage parameter manipulation to gain unauthorized access.
CVE-2024-1514 was publicly disclosed on February 28, 2024. While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. No KEV listing is currently available. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.55% (68% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1514 is to immediately upgrade the WP eCommerce plugin to a version that includes the security patch. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by adding input validation and sanitization to the 'cartcontents' parameter. Web Application Firewalls (WAFs) can be configured with rules to detect and block SQL Injection attempts targeting this parameter. Monitor WordPress access logs for suspicious SQL queries related to the 'cartcontents' parameter.
Update the WP eCommerce plugin to the latest available version. The SQL Injection vulnerability has been fixed in versions later than 3.15.1. Ensure you keep your plugins updated to avoid potential security issues.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1514 is a critical SQL Injection vulnerability affecting WP eCommerce plugin versions up to 3.15.1, allowing attackers to extract data via the 'cart_contents' parameter.
If you are using WP eCommerce plugin version 3.15.1 or earlier, you are vulnerable to this SQL Injection attack. Check your plugin version immediately.
Upgrade the WP eCommerce plugin to the latest version that includes the security patch. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target for attackers. Monitor your systems closely.
Refer to the official WP eCommerce website and WordPress security announcements for the latest advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.