Platform
wordpress
Component
mediavine-create
Fixed in
1.9.5
CVE-2024-1711 describes a SQL Injection vulnerability affecting the Create by Mediavine plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions up to and including 1.9.4. A patch is available to address this critical security issue.
The SQL Injection vulnerability in Create by Mediavine allows attackers to directly manipulate database queries. An attacker could leverage this to extract sensitive information such as user credentials, plugin configurations, or other stored data. Successful exploitation could lead to complete database compromise, allowing attackers to modify content, gain administrative access, or even delete data. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of potential adversaries. This vulnerability shares similarities with other SQL injection flaws where attackers can bypass security controls by injecting malicious code into database queries.
CVE-2024-1711 was publicly disclosed on March 20, 2024. No known active exploitation campaigns have been reported as of this writing. Public proof-of-concept exploits are likely to emerge given the ease of exploitation associated with SQL injection vulnerabilities. The vulnerability is not currently listed on the CISA KEV catalog. The NVD entry was published on the same date as the public disclosure.
Exploit Status
EPSS
0.85% (75% percentile)
CVSS Vector
The primary mitigation for CVE-2024-1711 is to immediately upgrade the Create by Mediavine plugin to a version that includes the security fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Regularly review WordPress plugin configurations and ensure proper database user permissions are in place to limit potential damage from a successful attack. After upgrading, verify the fix by attempting a SQL injection attack on the vulnerable endpoint and confirming that the input is properly sanitized.
Update the Create by Mediavine plugin to the latest available version. Version 1.9.5 or higher corrects the SQL Injection vulnerability. You can update through the WordPress admin panel or by downloading the latest version from the official repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1711 is a critical SQL Injection vulnerability in the Create by Mediavine WordPress plugin, allowing attackers to potentially extract sensitive database information.
You are affected if you are using Create by Mediavine plugin versions less than or equal to 1.9.4. Immediate action is required.
Upgrade the Create by Mediavine plugin to the latest available version that includes the security fix. If immediate upgrade is not possible, temporarily disable the plugin.
No active exploitation campaigns have been confirmed as of this writing, but public proof-of-concept exploits are likely to emerge.
Refer to the Mediavine website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.