Platform
wordpress
Component
wp-recall
Fixed in
16.26.6
CVE-2024-32709 describes a SQL Injection vulnerability discovered in the WP-Recall WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially compromising the database and gaining unauthorized access to sensitive information. The vulnerability impacts versions of WP-Recall up to and including 16.26.5. A patch is available in version 16.26.6.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. This includes the ability to read, modify, or delete any data stored within the database, such as user credentials, customer information, and sensitive business data. An attacker could also leverage this vulnerability to execute arbitrary commands on the server, potentially leading to a full system compromise. The blast radius extends to any data stored within the WordPress database, making this a high-impact vulnerability for organizations relying on WP-Recall.
CVE-2024-32709 was publicly disclosed on April 24, 2024. While no active exploitation campaigns have been confirmed, the CRITICAL severity and the ease of SQL Injection exploitation suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability is listed on the CISA KEV catalog, indicating a heightened risk.
Exploit Status
EPSS
92.91% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-32709 is to immediately upgrade the WP-Recall plugin to version 16.26.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent SQL injection attacks. Monitor WordPress logs for suspicious SQL queries or database activity.
Update the WP-Recall plugin to the latest available version. If no version is available, consider disabling the plugin until a patched version is released. See the vendor's website for more information and updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-32709 is a critical SQL Injection vulnerability affecting the WP-Recall WordPress plugin, allowing attackers to inject malicious SQL code and potentially compromise the database.
You are affected if you are using WP-Recall version 16.26.5 or earlier. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WP-Recall plugin to version 16.26.6 or later. If immediate upgrade is not possible, implement a WAF rule and sanitize user inputs.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WP-Recall plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.