Platform
wordpress
Component
userswp
Fixed in
1.2.11
CVE-2024-6265 is a critical SQL Injection vulnerability affecting the UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration. The vulnerability impacts versions up to and including 1.2.10. A patch is available; users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in UsersWP allows attackers to manipulate database queries through the uwpsortby parameter. Successful exploitation could enable attackers to extract sensitive information stored within the WordPress database, including user credentials (usernames and passwords), user profile data, and potentially other application-specific data. Depending on the database schema and permissions, an attacker might also be able to modify or delete data, leading to a complete compromise of the WordPress site. This vulnerability is particularly concerning given the plugin's function of managing user registration and profiles, which often contain highly sensitive personal information.
CVE-2024-6265 was publicly disclosed on June 29, 2024. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation if left unpatched. It is recommended to prioritize remediation efforts. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
32.41% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6265 is to upgrade the UsersWP plugin to a version that addresses the SQL Injection vulnerability. Check the plugin developer's website or the WordPress plugin repository for the latest version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the uwpsortby parameter using a WordPress firewall (WAF) or by implementing input validation and sanitization within the plugin's code (if feasible). Monitor WordPress access logs for suspicious SQL queries targeting the uwpsortby parameter. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload through the uwpsortby parameter and verifying that it is properly sanitized.
Update the UsersWP plugin to the latest available version. The patched version includes security measures to prevent SQL Injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6265 is a critical SQL Injection vulnerability in the UsersWP plugin for WordPress, allowing attackers to extract data from the database via the ‘uwpsortby’ parameter.
You are affected if you are using UsersWP plugin versions 1.2.10 or earlier. Check your plugin version and upgrade immediately.
Upgrade the UsersWP plugin to the latest version available on the WordPress plugin repository. Consider temporary WAF rules if immediate upgrade is not possible.
While no public exploits are currently available, the CRITICAL severity suggests a high likelihood of exploitation if left unpatched. Monitor for any signs of activity.
Check the UsersWP plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.