Plateforme
wordpress
Composant
network-summary
Corrigé dans
2.0.12
CVE-2024-2804 describes a critical SQL Injection vulnerability affecting the Network Summary plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions up to and including 2.0.11. A patch is available, and immediate action is recommended to mitigate the risk.
The SQL Injection vulnerability in Network Summary allows attackers to directly manipulate database queries. By injecting crafted SQL code through the 'category' parameter, an attacker can bypass intended security measures and extract sensitive information stored within the WordPress database. This could include user credentials, configuration details, and potentially even application code. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of malicious actors.
CVE-2024-2804 was publicly disclosed on April 9, 2024. While no public exploits have been widely reported, the CRITICAL severity and ease of exploitation suggest a high probability of active scanning and potential exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Network Summary plugin, particularly those running older, unpatched versions (≤2.0.11), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'SELECT * FROM' /var/www/html/wp-content/plugins/network-summary/• generic web:
curl -I 'https://your-wordpress-site.com/?category='; # Check for SQL injection indicators in the response headers• wordpress / composer / npm:
wp plugin list --status=active | grep network-summary• wordpress / composer / npm:
wp plugin update network-summarydisclosure
Statut de l'Exploit
EPSS
0.51% (percentile 66%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-2804 is to immediately upgrade the Network Summary plugin to a patched version. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement strict input validation and sanitization on the 'category' parameter within the plugin's code, although this is not a substitute for a proper patch. Web Application Firewalls (WAFs) configured with rules to detect and block SQL Injection attempts targeting the 'category' parameter can provide an additional layer of defense. Monitor WordPress logs for suspicious SQL queries related to the plugin.
Actualice el plugin Network Summary a la última versión disponible. La vulnerabilidad de inyección SQL se corrigió en versiones posteriores a la 2.0.11.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-2804 is a critical SQL Injection vulnerability in the Network Summary WordPress plugin, allowing attackers to extract data via the 'category' parameter. It affects versions up to 2.0.11.
If you are using the Network Summary plugin in WordPress version 2.0.11 or earlier, you are vulnerable. Check your plugin version immediately.
Upgrade the Network Summary plugin to the latest version, which contains the fix. If upgrading is not possible, temporarily disable the plugin.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of active scanning and potential attacks.
Refer to the official Network Summary plugin website or WordPress.org plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.