Platform
wordpress
Component
profilegrid-user-profiles-groups-and-communities
Fixed in
5.7.9
CVE-2024-30490 describes a SQL Injection vulnerability discovered in ProfileGrid, a WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the entire system. The vulnerability affects versions of ProfileGrid up to 5.7.8, and a patch is available in version 5.7.9.
Successful exploitation of CVE-2024-30490 could allow an attacker to bypass authentication and execute arbitrary SQL queries against the database. This could lead to the theft of sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker could potentially modify or delete data, disrupt service, or even gain control of the underlying server. The impact is particularly severe given ProfileGrid's potential use in managing user profiles and sensitive business data.
CVE-2024-30490 was publicly disclosed on March 29, 2024. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of exploitation attempts. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
14.44% (94% percentile)
CVSS Vector
The primary mitigation for CVE-2024-30490 is to immediately upgrade ProfileGrid to version 5.7.9 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within your application code. While a WAF might offer some protection, it is not a substitute for patching the vulnerability. Regularly review and audit database access controls to minimize the potential impact of a successful attack.
Update the ProfileGrid plugin to the latest available version. The SQL injection vulnerability allows the execution of arbitrary SQL commands. It is recommended to perform the update as soon as possible to prevent potential attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-30490 is a critical SQL Injection vulnerability affecting ProfileGrid versions up to 5.7.8. Attackers can inject malicious SQL code to potentially access or manipulate data.
If you are using ProfileGrid version 5.7.8 or earlier, you are vulnerable. Check your plugin version and upgrade immediately.
Upgrade ProfileGrid to version 5.7.9 or later. This resolves the SQL Injection vulnerability.
While no active exploitation campaigns have been confirmed, the CRITICAL severity suggests a high likelihood of exploitation attempts.
Refer to the official ProfileGrid website and WordPress plugin repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.