Platform
wordpress
Component
postmash
Fixed in
1.2.1
CVE-2024-25927 describes a SQL Injection vulnerability discovered in the postMash – custom post order WordPress plugin. This vulnerability allows attackers to inject malicious SQL code, potentially compromising the database and gaining unauthorized access to sensitive information. The vulnerability affects versions of the plugin up to 1.2.0, and a patch is available in version 1.2.1.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read sensitive data (such as user credentials, post content, and configuration details), modify data, or even execute arbitrary commands on the server. The blast radius extends to any data stored within the WordPress database accessible through the vulnerable plugin. Depending on the database user permissions, an attacker could potentially gain complete control over the WordPress installation and the underlying server. This vulnerability shares characteristics with other SQL Injection flaws, where improper input validation leads to the execution of unintended SQL queries.
CVE-2024-25927 was publicly disclosed on February 28, 2024. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). As of this writing, there are no known public exploits or active campaigns targeting this specific vulnerability, but the ease of exploitation associated with SQL Injection vulnerabilities means it is likely to be targeted. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.22% (45% percentile)
CVSS Vector
The primary mitigation for CVE-2024-25927 is to immediately upgrade the postMash – custom post order plugin to version 1.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the plugin's endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as the presence of single quotes, double quotes, semicolons, or SQL keywords in user-supplied input. Regularly review database user permissions to ensure they adhere to the principle of least privilege.
Update the postMash – custom post order plugin to a version later than 1.2.0. This will resolve the SQL Injection vulnerability. If no version is available, consider disabling the plugin until an update is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25927 is a critical SQL Injection vulnerability affecting the postMash – custom post order WordPress plugin, allowing attackers to inject malicious SQL code.
You are affected if you are using postMash – custom post order version 1.2.0 or earlier. Upgrade to 1.2.1 to mitigate the risk.
Upgrade the postMash – custom post order plugin to version 1.2.1 or later. Consider a WAF as a temporary workaround if immediate upgrade is not possible.
While there are no confirmed active exploits currently, the ease of exploitation makes it a likely target for attackers.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.