Plateforme
wordpress
Composant
blog2social
Corrigé dans
7.4.2
CVE-2024-3549 is a critical SQL Injection vulnerability affecting the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress. This flaw allows authenticated attackers, even those with subscriber-level access, to inject malicious SQL queries into existing database queries. Versions of the plugin up to and including 7.4.1 are vulnerable. A patch is available to address this issue.
The SQL Injection vulnerability in Blog2Social allows an attacker to manipulate database queries, potentially leading to unauthorized data access and modification. An attacker could extract sensitive information such as user credentials, API keys, or other confidential data stored in the WordPress database. Successful exploitation could also lead to data corruption or even complete database takeover. Given the plugin's functionality for social media scheduling, compromised accounts could be used to spread malicious content or phishing links across multiple platforms, significantly expanding the blast radius of the attack.
CVE-2024-3549 was publicly disclosed on June 11, 2024. While no public exploits have been widely reported, the CRITICAL severity and ease of exploitation (requiring only subscriber access) suggest a high probability of exploitation. It is recommended to prioritize patching this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Blog2Social plugin, particularly those with subscriber-level users who have access to modify post types, are at significant risk. Shared hosting environments where multiple websites share the same database are also at increased risk, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "b2sSortPostType" /var/www/html/wp-content/plugins/blog2social/• wordpress / composer / npm:
wp plugin list --status=active | grep blog2social• wordpress / composer / npm:
wp plugin update blog2social• generic web: Check WordPress error logs for SQL syntax errors related to the 'b2sSortPostType' parameter.
disclosure
Statut de l'Exploit
EPSS
0.63% (percentile 70%)
Vecteur CVSS
The primary mitigation for CVE-2024-3549 is to immediately upgrade the Blog2Social plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'b2sSortPostType' parameter. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block SQL Injection attempts targeting the 'b2sSortPostType' parameter can provide an additional layer of protection. Monitor WordPress logs for suspicious SQL queries originating from the plugin.
Actualice el plugin Blog2Social a una versión posterior a la 7.4.1. Esto solucionará la vulnerabilidad de inyección SQL.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-3549 is a critical SQL Injection vulnerability in the Blog2Social plugin for WordPress versions up to 7.4.1, allowing attackers to potentially extract sensitive database information.
If you are using Blog2Social plugin version 7.4.1 or earlier, you are vulnerable to this SQL Injection flaw. Check your plugin version immediately.
Upgrade the Blog2Social plugin to the latest available version, which contains the necessary fix. If upgrading is not possible, temporarily restrict access to the 'b2sSortPostType' parameter.
While no widespread exploitation has been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. Proactive patching is strongly recommended.
Refer to the official Blog2Social website and WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.