Platform
wordpress
Component
blog2social
Fixed in
7.4.2
CVE-2024-3549 is a critical SQL Injection vulnerability affecting the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress. This flaw allows authenticated attackers, even those with subscriber-level access, to inject malicious SQL queries into existing database queries. Versions of the plugin up to and including 7.4.1 are vulnerable. A patch is available to address this issue.
The SQL Injection vulnerability in Blog2Social allows an attacker to manipulate database queries, potentially leading to unauthorized data access and modification. An attacker could extract sensitive information such as user credentials, API keys, or other confidential data stored in the WordPress database. Successful exploitation could also lead to data corruption or even complete database takeover. Given the plugin's functionality for social media scheduling, compromised accounts could be used to spread malicious content or phishing links across multiple platforms, significantly expanding the blast radius of the attack.
CVE-2024-3549 was publicly disclosed on June 11, 2024. While no public exploits have been widely reported, the CRITICAL severity and ease of exploitation (requiring only subscriber access) suggest a high probability of exploitation. It is recommended to prioritize patching this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.63% (70% percentile)
CVSS Vector
The primary mitigation for CVE-2024-3549 is to immediately upgrade the Blog2Social plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'b2sSortPostType' parameter. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block SQL Injection attempts targeting the 'b2sSortPostType' parameter can provide an additional layer of protection. Monitor WordPress logs for suspicious SQL queries originating from the plugin.
Update the Blog2Social plugin to a version later than 7.4.1. This will fix the (SQL Injection) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3549 is a critical SQL Injection vulnerability in the Blog2Social plugin for WordPress versions up to 7.4.1, allowing attackers to potentially extract sensitive database information.
If you are using Blog2Social plugin version 7.4.1 or earlier, you are vulnerable to this SQL Injection flaw. Check your plugin version immediately.
Upgrade the Blog2Social plugin to the latest available version, which contains the necessary fix. If upgrading is not possible, temporarily restrict access to the 'b2sSortPostType' parameter.
While no widespread exploitation has been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. Proactive patching is strongly recommended.
Refer to the official Blog2Social website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.