Platform
wordpress
Component
wpforo
Fixed in
2.3.4
CVE-2024-3200 is a critical SQL Injection vulnerability affecting the wpForo Forum plugin for WordPress. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject malicious SQL queries. Versions of wpForo Forum up to and including 2.3.3 are vulnerable. A patch is available in version 2.3.4.
The SQL Injection vulnerability in wpForo Forum arises from insufficient escaping of the 'slug' parameter within the 'wpforo' shortcode. An attacker can leverage this to append arbitrary SQL queries to existing database queries. Successful exploitation could lead to the extraction of sensitive data stored within the WordPress database, including user credentials, forum posts, and potentially other application data. Depending on the database schema and permissions, an attacker might even be able to modify or delete data, leading to a complete compromise of the WordPress site and its associated data. This vulnerability is particularly concerning given the popularity of WordPress and the potential for widespread exploitation.
CVE-2024-3200 was publicly disclosed on June 1, 2024. While no active exploitation campaigns have been definitively confirmed at the time of writing, the CRITICAL severity and the ease of exploitation (requiring only contributor access) suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
1.03% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-3200 is to immediately upgrade the wpForo Forum plugin to version 2.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the 'wpforo' shortcode's 'slug' parameter. Specifically, look for unusual characters or SQL keywords within the slug value. Additionally, review user roles and permissions to ensure that only authorized users have contributor access or higher. After upgrading, confirm the fix by attempting to inject a simple SQL query via the 'wpforo' shortcode and verifying that it is properly sanitized and does not result in an error or data leakage.
Update the wpForo Forum plugin to version 2.3.4 or higher. This version fixes the (SQL Injection) vulnerability. You can update through the WordPress admin panel or by downloading the latest version from the official repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3200 is a critical SQL Injection vulnerability in the wpForo Forum plugin for WordPress, allowing attackers to inject SQL queries and potentially extract sensitive data.
Yes, if you are using wpForo Forum version 2.3.3 or earlier, you are vulnerable to this SQL Injection flaw.
Upgrade the wpForo Forum plugin to version 2.3.4 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official wpForo Forum website and WordPress plugin repository for updates and advisories related to CVE-2024-3200.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.