Platform
wordpress
Component
osm
Fixed in
6.0.3
CVE-2024-3604 describes a SQL Injection vulnerability discovered in the OSM – OpenStreetMap WordPress plugin. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject malicious SQL queries. The vulnerability affects versions up to and including 6.0.2. A patch is available, requiring plugin upgrade.
The SQL Injection vulnerability in OSM – OpenStreetMap allows an attacker to manipulate database queries. By injecting arbitrary SQL code through the 'taggedfilter' attribute of the 'osmmap_v3' shortcode, an attacker can potentially extract sensitive data stored within the WordPress database. This could include user credentials, configuration details, or other critical information. Successful exploitation could lead to complete database compromise and potentially full control of the WordPress site. The impact is amplified if the database contains sensitive user data or is connected to other critical systems.
CVE-2024-3604 was publicly disclosed on 2024-07-09. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability requires authenticated access, limiting the immediate attack surface, but the potential impact warrants immediate attention.
Exploit Status
EPSS
0.69% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-3604 is to immediately upgrade the OSM – OpenStreetMap WordPress plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'taggedfilter' parameter or implementing stricter input validation on the server-side. While a WAF might offer some protection, it's not a substitute for patching the plugin. After upgrading, verify the fix by attempting to inject a simple SQL query through the 'taggedfilter' parameter and confirming that it is properly sanitized.
Update the OSM – OpenStreetMap plugin to the latest available version. The most recent version contains the fix for the SQL Injection vulnerability. If you cannot update immediately, consider disabling the plugin temporarily.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3604 is a critical SQL Injection vulnerability affecting the OSM – OpenStreetMap WordPress plugin versions up to 6.0.2. It allows authenticated attackers to inject SQL code and potentially extract sensitive data.
You are affected if you are using the OSM – OpenStreetMap WordPress plugin version 6.0.2 or earlier. Check your plugin version and upgrade immediately if necessary.
The fix is to upgrade the OSM – OpenStreetMap WordPress plugin to a patched version. Consult the plugin developer's website for the latest version and installation instructions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation. Monitor your systems closely.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and updates regarding CVE-2024-3604.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.