प्लेटफ़ॉर्म
wordpress
घटक
dokan-pro
में ठीक किया गया
3.10.4
CVE-2024-3922 is a critical SQL Injection vulnerability affecting Dokan Pro, a popular WordPress plugin for multi-vendor marketplaces. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of Dokan Pro up to and including 3.10.3. A patch is available; immediate upgrade is recommended.
The SQL Injection vulnerability in Dokan Pro allows attackers to directly manipulate database queries. An attacker could leverage this to extract sensitive information such as user credentials (usernames, passwords, email addresses), customer data (names, addresses, payment details), and order information. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. Given Dokan Pro’s widespread use in e-commerce environments, the potential blast radius is significant, impacting both the site owner and their customers. This vulnerability shares similarities with other SQL Injection flaws where attackers can bypass authentication and gain administrative privileges.
CVE-2024-3922 was publicly disclosed on 2024-06-13. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WordPress site owners utilizing Dokan Pro, particularly those running versions prior to 3.10.3, are at significant risk. Multi-vendor e-commerce sites are especially vulnerable due to the sensitive customer and transaction data they handle. Shared hosting environments where multiple WordPress sites share the same database are also at increased risk, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/dokan-pro/• generic web:
curl -I 'https://your-wordpress-site.com/?code=test' | grep 'SQL injection'• wordpress / composer / npm:
wp plugin list --status=active | grep dokan-pro• wordpress / composer / npm:
wp plugin update dokan-pro --alldisclosure
एक्सप्लॉइट स्थिति
EPSS
89.48% (100% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to immediately upgrade Dokan Pro to a version that addresses CVE-2024-3922. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter out malicious SQL injection attempts targeting the 'code' parameter. Input validation on the server-side, specifically escaping user-supplied input before incorporating it into SQL queries, is crucial. Monitor WordPress access logs for suspicious SQL queries and unusual database activity. After upgrading, verify the fix by attempting a SQL injection attack on the affected parameter and confirming that it is properly sanitized.
Actualice el plugin Dokan Pro a la última versión disponible. La vulnerabilidad de inyección SQL fue corregida en versiones posteriores a la 3.10.3. Se recomienda realizar la actualización lo antes posible para evitar posibles ataques.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-3922 is a critical SQL Injection vulnerability in Dokan Pro versions up to 3.10.3, allowing attackers to manipulate database queries and potentially extract sensitive data.
If you are using Dokan Pro version 3.10.3 or earlier, you are vulnerable to this SQL Injection flaw. Upgrade immediately.
The recommended fix is to upgrade Dokan Pro to the latest version that addresses this vulnerability. If immediate upgrade is not possible, implement WAF rules and input validation as temporary mitigations.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the Dokan Pro official website and WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।