Platform
wordpress
Component
real-estate-listing-realtyna-wpl
Fixed in
4.14.5
CVE-2024-32128 identifies a SQL Injection vulnerability within the Realtyna Organic IDX plugin and the WPL Real Estate plugin. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data and gaining unauthorized access to the WordPress database. The vulnerability impacts versions up to 4.14.4, and a patch is available in version 4.14.5.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read sensitive data (such as user credentials, property listings, and financial information), modify database records, or even execute arbitrary commands on the server. The blast radius extends to any data stored within the WordPress database managed by the Realtyna IDX plugin. A skilled attacker could leverage this to gain complete control over the website and potentially pivot to other systems on the network. This vulnerability shares characteristics with other SQL injection flaws, where improper input validation leads to code execution within the database context.
This vulnerability was publicly disclosed on April 15, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL CVSS score (9.3) indicates a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the ease of exploitation associated with SQL Injection vulnerabilities.
Exploit Status
EPSS
11.04% (93% percentile)
CVSS Vector
The primary mitigation is to immediately upgrade the Realtyna Organic IDX plugin and WPL Real Estate plugin to version 4.14.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Specifically, look for patterns involving single quotes, double quotes, semicolons, and SQL keywords in user-supplied input. Regularly review database access logs for suspicious activity and implement strong password policies for all WordPress users.
Update the Realtyna Organic IDX plugin + WPL Real Estate plugin to the latest available version. The SQL Injection vulnerability has been fixed in versions later than 4.14.4. See the plugin page on WordPress for the most recent version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-32128 is a critical SQL Injection vulnerability affecting Realtyna Organic IDX and WPL Real Estate plugins, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Realtyna Organic IDX or WPL Real Estate plugin versions 4.14.4 or earlier. Immediate action is required.
Upgrade the Realtyna Organic IDX and WPL Real Estate plugin to version 4.14.5 or later to patch the vulnerability. Consider WAF rules as a temporary workaround.
While no confirmed active exploitation campaigns are known, the CRITICAL severity suggests a high likelihood of exploitation. Monitor your systems closely.
Refer to the Realtyna website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-32128.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.