Plateforme
wordpress
Composant
real-estate-listing-realtyna-wpl
Corrigé dans
4.14.5
CVE-2024-32128 identifies a SQL Injection vulnerability within the Realtyna Organic IDX plugin and the WPL Real Estate plugin. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data and gaining unauthorized access to the WordPress database. The vulnerability impacts versions up to 4.14.4, and a patch is available in version 4.14.5.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read sensitive data (such as user credentials, property listings, and financial information), modify database records, or even execute arbitrary commands on the server. The blast radius extends to any data stored within the WordPress database managed by the Realtyna IDX plugin. A skilled attacker could leverage this to gain complete control over the website and potentially pivot to other systems on the network. This vulnerability shares characteristics with other SQL injection flaws, where improper input validation leads to code execution within the database context.
This vulnerability was publicly disclosed on April 15, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL CVSS score (9.3) indicates a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the ease of exploitation associated with SQL Injection vulnerabilities.
Websites utilizing the Realtyna Organic IDX plugin and WPL Real Estate plugin, particularly those running older versions (≤4.14.4), are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. Sites with custom integrations or extensions built on top of the Realtyna IDX plugin may also be affected.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/realtyna-organic-idx/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=idx_get_listings | grep SQLdisclosure
Statut de l'Exploit
EPSS
11.04% (percentile 93%)
Vecteur CVSS
The primary mitigation is to immediately upgrade the Realtyna Organic IDX plugin and WPL Real Estate plugin to version 4.14.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Specifically, look for patterns involving single quotes, double quotes, semicolons, and SQL keywords in user-supplied input. Regularly review database access logs for suspicious activity and implement strong password policies for all WordPress users.
Actualice el plugin Realtyna Organic IDX plugin + WPL Real Estate plugin a la última versión disponible. La vulnerabilidad de inyección SQL ha sido corregida en versiones posteriores a la 4.14.4. Consulte la página del plugin en WordPress para obtener la versión más reciente.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-32128 is a critical SQL Injection vulnerability affecting Realtyna Organic IDX and WPL Real Estate plugins, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Realtyna Organic IDX or WPL Real Estate plugin versions 4.14.4 or earlier. Immediate action is required.
Upgrade the Realtyna Organic IDX and WPL Real Estate plugin to version 4.14.5 or later to patch the vulnerability. Consider WAF rules as a temporary workaround.
While no confirmed active exploitation campaigns are known, the CRITICAL severity suggests a high likelihood of exploitation. Monitor your systems closely.
Refer to the Realtyna website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-32128.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.