Platform
wordpress
Component
themify-wc-product-filter
Fixed in
1.4.10
CVE-2024-6027 is a critical SQL Injection vulnerability affecting the Themify – WooCommerce Product Filter plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and compromise of the WordPress database. The vulnerability impacts versions up to and including 1.4.9. A patch is available from the vendor.
The SQL Injection vulnerability in Themify WooCommerce Product Filter allows attackers to manipulate database queries through the ‘conditions’ parameter. Successful exploitation could enable attackers to extract sensitive information such as user credentials, customer data, order details, and other confidential data stored within the WordPress database. This could lead to identity theft, financial fraud, and reputational damage. The lack of authentication requirements means that any unauthenticated user can potentially exploit this vulnerability. The potential for data breach is significant, especially given the prevalence of WooCommerce stores handling sensitive customer information.
CVE-2024-6027 was publicly disclosed on 2024-06-21. The vulnerability is considered high-risk due to its critical CVSS score and the ease of exploitation. No public proof-of-concept (POC) code has been widely released, but the vulnerability's nature makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.95% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6027 is to upgrade the Themify – WooCommerce Product Filter plugin to a patched version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the ‘conditions’ parameter. Specifically, look for patterns indicative of SQL injection payloads. Additionally, review and sanitize all user inputs within the plugin to prevent future vulnerabilities. After upgrade, confirm by attempting a query with a known malicious payload and verifying that it is properly blocked or sanitized.
Update the Themify – WooCommerce Product Filter plugin to the latest available version. The SQL Injection (SQL Injection) vulnerability was fixed in versions later than 1.4.9. This will prevent unauthenticated attackers from exploiting the vulnerability to extract sensitive information from the database.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6027 is a critical SQL Injection vulnerability in the Themify WooCommerce Product Filter plugin for WordPress, allowing attackers to potentially extract sensitive data from the database.
You are affected if you are using Themify WooCommerce Product Filter version 1.4.9 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Themify WooCommerce Product Filter plugin to the latest patched version. If upgrading is not immediately possible, implement a WAF rule to filter malicious SQL injection attempts.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely a target for attackers. Monitor for any suspicious activity.
Refer to the Themify website and WordPress plugin repository for the latest advisory and patch information regarding CVE-2024-6027.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.