Platform
wordpress
Component
wishlist-member-x
Fixed in
3.26.7
3.26.7
CVE-2024-37112 describes a critical SQL Injection vulnerability affecting the Wishlist Member plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to data breaches and unauthorized modifications. The vulnerability impacts versions up to and including 3.25.1, and a fix is available in version 3.26.7.
The SQL Injection vulnerability in Wishlist Member allows attackers to bypass authentication and directly manipulate the WordPress database. Successful exploitation could result in the theft of sensitive user data, including usernames, passwords, email addresses, and payment information. Attackers could also modify existing data, create new user accounts with administrative privileges, or even delete entire tables. The potential blast radius is significant, as a compromised WordPress site can be used as a launchpad for further attacks against other systems on the network. This vulnerability shares similarities with other SQL Injection attacks, where attackers leverage database queries to gain unauthorized access and control.
CVE-2024-37112 was publicly disclosed on June 20, 2024. While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.91% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37112 is to immediately upgrade the Wishlist Member plugin to version 3.26.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoint. Additionally, review and harden database user permissions to limit the impact of a successful SQL Injection attack. After upgrading, confirm the fix by attempting a SQL Injection attack on the vulnerable endpoint and verifying that it is blocked.
Update to version 3.26.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37112 is a critical SQL Injection vulnerability in the Wishlist Member WordPress plugin, allowing attackers to manipulate the database and potentially steal sensitive information.
You are affected if you are using Wishlist Member version 3.26.7 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade the Wishlist Member plugin to version 3.26.7 or later. Consider implementing a WAF rule as a temporary workaround if upgrading is not immediately possible.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation make it a high-priority target, and exploitation is likely.
Refer to the Wishlist Member website and WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.