Platform
wordpress
Component
wp-travel-engine
Fixed in
5.7.10
CVE-2024-30502 describes a SQL Injection vulnerability affecting WP Travel Engine versions up to 5.7.9. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability was published on March 29, 2024, and a fix is available in version 5.7.10.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and authorization mechanisms, granting them access to the underlying database. This could lead to the theft of sensitive user data, including personal information, booking details, and payment information. Furthermore, an attacker could potentially modify or delete data, disrupting the functionality of the WP Travel Engine plugin and impacting the website's operations. The impact is particularly severe given the potential for widespread data compromise and service disruption.
This vulnerability is considered critical due to the ease of exploitation and potential impact. While no public exploits have been widely reported, the SQL Injection nature of the vulnerability makes it a high-priority target for malicious actors. The vulnerability was disclosed on March 29, 2024, and is tracked by the NVD. There is no indication of this being added to the CISA KEV catalog at this time.
Exploit Status
EPSS
18.43% (95% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-30502 is to immediately upgrade WP Travel Engine to version 5.7.10 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent malicious SQL code from being injected. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin. After upgrading, confirm the fix by attempting a SQL Injection attack on the vulnerable endpoint and verifying that it is blocked.
Update the WP Travel Engine plugin to the latest available version. The unauthenticated blind SQL injection vulnerability has been fixed in versions later than 5.7.9. To update, go to the WordPress admin dashboard, then to the Plugins section and search for WP Travel Engine. Click 'Update Now'.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-30502 is a critical SQL Injection vulnerability affecting WP Travel Engine versions up to 5.7.9, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using WP Travel Engine version 5.7.9 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade WP Travel Engine to version 5.7.10 or later. Consider a WAF as an interim measure if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's nature makes it a likely target for malicious actors. Proactive mitigation is highly recommended.
Refer to the WP Travel Engine website and WordPress plugin repository for the latest security advisories and updates related to CVE-2024-30502.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.