Platform
wordpress
Component
mp-timetable
Fixed in
2.4.12
CVE-2024-3342 describes a SQL Injection vulnerability discovered in the Timetable and Event Schedule plugin by MotoPress for WordPress. This vulnerability allows authenticated attackers to inject malicious SQL queries, potentially leading to data breaches and unauthorized access. It affects versions of the plugin up to and including 2.4.11. A patch is available from the vendor.
The SQL Injection vulnerability lies within the 'events' attribute of the 'mp-timetable' shortcode. An attacker with contributor-level access or higher can craft a malicious shortcode that injects arbitrary SQL code into existing queries. This injected code can be used to extract sensitive information stored within the WordPress database, such as user credentials, event details, or other application data. The potential impact extends to complete compromise of the database, enabling attackers to modify, delete, or exfiltrate data. Successful exploitation could lead to significant data loss, reputational damage, and regulatory compliance issues.
CVE-2024-3342 was publicly disclosed on April 27, 2024. No public proof-of-concept (PoC) code has been widely released at the time of this writing, but the vulnerability's ease of exploitation suggests a high likelihood of PoC development and potential exploitation in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Given the plugin's popularity and the critical severity of the vulnerability, active exploitation is a significant concern.
Exploit Status
EPSS
0.31% (54% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-3342 is to immediately upgrade the Timetable and Event Schedule plugin to a version patched against this vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider restricting access to the 'mp-timetable' shortcode to authorized users only. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting the shortcode parameter can provide an additional layer of defense. Monitor WordPress logs for suspicious SQL queries or database activity.
Update the Timetable and Event Schedule by MotoPress plugin to the latest available version. Version 2.4.12 or higher corrects this (SQL Injection) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3342 is a critical SQL Injection vulnerability affecting the MotoPress Timetable and Event Schedule plugin for WordPress, allowing attackers to extract data.
You are affected if you are using the plugin version 2.4.11 or earlier. Check your plugin version and upgrade immediately.
Upgrade the plugin to the latest version available from the MotoPress website or WordPress plugin repository.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high risk of exploitation.
Refer to the MotoPress website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.