WordPress WP Travel Engine plugin <= 5.7.9 - Unauth. Blind SQL Injection vulnerability
traduction en cours…Plateforme
wordpress
Composant
wp-travel-engine
Corrigé dans
5.7.10
CVE-2024-30502 describes a SQL Injection vulnerability affecting WP Travel Engine versions up to 5.7.9. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability was published on March 29, 2024, and a fix is available in version 5.7.10.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and authorization mechanisms, granting them access to the underlying database. This could lead to the theft of sensitive user data, including personal information, booking details, and payment information. Furthermore, an attacker could potentially modify or delete data, disrupting the functionality of the WP Travel Engine plugin and impacting the website's operations. The impact is particularly severe given the potential for widespread data compromise and service disruption.
Contexte d'Exploitationtraduction en cours…
This vulnerability is considered critical due to the ease of exploitation and potential impact. While no public exploits have been widely reported, the SQL Injection nature of the vulnerability makes it a high-priority target for malicious actors. The vulnerability was disclosed on March 29, 2024, and is tracked by the NVD. There is no indication of this being added to the CISA KEV catalog at this time.
Qui Est à Risquetraduction en cours…
Websites utilizing the WP Travel Engine plugin, particularly those running versions prior to 5.7.10, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites that have not implemented robust input validation and sanitization practices are also at increased risk.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r "wp_query('" | "SELECT * FROM" "/var/www/html/wp-content/plugins/wp-travel-engine/""• generic web:
curl -I https://your-website.com/wp-admin/admin.php?page=wp-travel-engine-settings&action=update_settings&field=some_input' OR 1=1 --silent | grep -i "200 ok"Chronologie de l'Attaque
- Disclosure
disclosure
- Patch
patch
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
18.43% (percentile 95%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Aucun — aucun impact sur l'intégrité.
- Availability
- Faible — déni de service partiel ou intermittent.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 20KConnu
- Note du plugin
- 4.9
- Nécessite WordPress
- 5.8+
- Compatible jusqu'à
- 6.9.4
- Nécessite PHP
- 7.4+
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-30502 is to immediately upgrade WP Travel Engine to version 5.7.10 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent malicious SQL code from being injected. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin. After upgrading, confirm the fix by attempting a SQL Injection attack on the vulnerable endpoint and verifying that it is blocked.
Comment corrigertraduction en cours…
Actualice el plugin WP Travel Engine a la última versión disponible. La vulnerabilidad de inyección SQL ciega no autenticada se ha corregido en versiones posteriores a la 5.7.9. Para actualizar, vaya al panel de administración de WordPress, luego a la sección de Plugins y busque WP Travel Engine. Haga clic en 'Actualizar ahora'.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-30502 — SQL Injection in WP Travel Engine?
CVE-2024-30502 is a critical SQL Injection vulnerability affecting WP Travel Engine versions up to 5.7.9, allowing attackers to inject malicious SQL code and potentially access sensitive data.
Am I affected by CVE-2024-30502 in WP Travel Engine?
You are affected if you are using WP Travel Engine version 5.7.9 or earlier. Immediately check your plugin version and upgrade if necessary.
How do I fix CVE-2024-30502 in WP Travel Engine?
Upgrade WP Travel Engine to version 5.7.10 or later. Consider a WAF as an interim measure if immediate upgrade is not possible.
Is CVE-2024-30502 being actively exploited?
While no widespread exploitation has been confirmed, the vulnerability's nature makes it a likely target for malicious actors. Proactive mitigation is highly recommended.
Where can I find the official WP Travel Engine advisory for CVE-2024-30502?
Refer to the WP Travel Engine website and WordPress plugin repository for the latest security advisories and updates related to CVE-2024-30502.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.