Plateforme
wordpress
Composant
woocommerce-products-filter
Corrigé dans
1.3.7
CVE-2024-6457 describes a critical SQL Injection vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and compromise of the WordPress database. The vulnerability impacts versions up to and including 1.3.6. A patch is available; users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in HUSKY – Products Filter Professional for WooCommerce allows attackers to manipulate database queries through the ‘woof_author’ parameter. Successful exploitation could enable attackers to extract sensitive information such as user credentials, customer data, order details, and potentially even gain administrative access to the WordPress site. The impact is particularly severe as the vulnerability is unauthenticated, meaning an attacker does not need valid login credentials to exploit it. This could lead to a complete data breach and compromise of the entire WordPress installation, similar to other SQL Injection attacks that have resulted in significant data loss and reputational damage.
CVE-2024-6457 was publicly disclosed on 2024-07-16. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the HUSKY – Products Filter Professional for WooCommerce plugin, particularly those running versions prior to 1.3.6, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "woof_author" /var/www/html/wp-content/plugins/husky-products-filter-for-woocommerce/• generic web:
curl -I 'https://your-wordpress-site.com/?woof_author='; # Check for SQL syntax in response headersdisclosure
Statut de l'Exploit
EPSS
8.48% (percentile 92%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-6457 is to upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a version that includes the security fix. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL syntax in the ‘woof_author’ parameter. Additionally, review and harden database user permissions to limit the potential impact of a successful injection. After upgrade, confirm the vulnerability is resolved by attempting a test injection (carefully!) and verifying that it is properly sanitized.
Actualice el plugin HUSKY – Products Filter Professional for WooCommerce a la última versión disponible. La vulnerabilidad de inyección SQL se ha corregido en versiones posteriores a la 1.3.6. Esto evitará que atacantes no autenticados exploten la vulnerabilidad para extraer información sensible de la base de datos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-6457 is a critical SQL Injection vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to extract data.
You are affected if you are using HUSKY – Products Filter Professional for WooCommerce version 1.3.6 or earlier.
Upgrade the plugin to the latest version, which includes the security fix. Consider a WAF as a temporary mitigation.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target.
Refer to the official HUSKY website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.