Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.2.5 - Authenticated (Contributor+) SQL Injection
翻訳中…プラットフォーム
wordpress
コンポーネント
youzify
修正版
1.2.6
CVE-2024-4742 describes a critical SQL Injection vulnerability affecting the Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. This flaw allows authenticated attackers, even those with limited Contributor-level access, to inject malicious SQL queries. The vulnerability impacts versions of the plugin up to and including 1.2.5. A fix is available in subsequent versions; upgrading is the recommended solution.
このCVEがあなたのプロジェクトに影響するか確認
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
影響と攻撃シナリオ翻訳中…
The SQL Injection vulnerability in Youzify allows an attacker to manipulate database queries, potentially leading to unauthorized data access and modification. An attacker could extract sensitive information such as user credentials, personal data, or even critical configuration details stored within the WordPress database. Successful exploitation could also lead to data deletion or corruption, severely impacting the website's functionality and integrity. The relatively low access requirement (Contributor level) significantly broadens the potential attack surface, making many WordPress sites vulnerable. This vulnerability shares similarities with other SQL injection flaws where attackers can bypass authentication and gain elevated privileges.
悪用の状況翻訳中…
CVE-2024-4742 was publicly disclosed on June 20, 2024. The vulnerability's CRITICAL CVSS score (9.8) indicates a high probability of exploitation. While no public proof-of-concept (PoC) has been widely publicized, the ease of exploitation and the plugin's popularity suggest that it is a likely target for malicious actors. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
リスク対象者翻訳中…
WordPress websites utilizing the Youzify plugin, particularly those running versions 1.2.5 or earlier, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from others. Sites with weak password policies or inadequate user access controls are also at higher risk.
検出手順翻訳中…
• wordpress / composer / npm:
grep -r "order_by shortcode attribute" /var/www/html/wp-content/plugins/youzify/• wordpress / composer / npm:
wp plugin list --status=active | grep youzify• wordpress / composer / npm:
wp plugin update youzify --all• generic web: Check WordPress plugin directory for updated version of Youzify.
攻撃タイムライン
- Disclosure
disclosure
脅威インテリジェンス
エクスプロイト状況
EPSS
0.63% (70% パーセンタイル)
CISA SSVC
CVSS ベクトル
これらのメトリクスの意味は?
- Attack Vector
- ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
- Attack Complexity
- 低 — 特別な条件不要。安定して悪用可能。
- Privileges Required
- なし — 認証不要。資格情報なしで悪用可能。
- User Interaction
- なし — 自動かつ無音の攻撃。被害者は何もしない。
- Scope
- 変化なし — 影響は脆弱なコンポーネントのみ。
- Confidentiality
- 高 — 機密性の完全喪失。全データが読み取り可能。
- Integrity
- 高 — 任意のデータの書き込み・変更・削除が可能。
- Availability
- 高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。
影響を受けるソフトウェア
パッケージ情報
- アクティブインストール数
- 6Kニッチ
- プラグイン評価
- 4.9
- WordPressが必要
- 4.9+
- 動作確認済みバージョン
- 6.9.4
- PHPが必要
- 5.6+
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2024-4742 is to upgrade the Youzify plugin to a version that addresses the vulnerability. Check the Youzify website or WordPress plugin repository for the latest version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the orderby shortcode attribute. Additionally, carefully review and sanitize all user inputs within the plugin to prevent further SQL injection vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple SQL query through the orderby parameter and verifying that it is properly sanitized and does not execute.
修正方法翻訳中…
Actualice el plugin Youzify a la última versión disponible. La vulnerabilidad de inyección SQL ha sido corregida en versiones posteriores a la 1.2.5. Esto evitará que atacantes autenticados con nivel de Contribuidor o superior puedan ejecutar consultas SQL maliciosas.
CVEセキュリティニュースレター
脆弱性分析と重要アラートをメールでお届けします。
よくある質問翻訳中…
What is CVE-2024-4742 — SQL Injection in Youzify WordPress Plugin?
CVE-2024-4742 is a critical SQL Injection vulnerability in the Youzify WordPress plugin, affecting versions up to 1.2.5. It allows authenticated attackers to inject malicious SQL queries and potentially extract sensitive data.
Am I affected by CVE-2024-4742 in Youzify WordPress Plugin?
You are affected if your WordPress site uses the Youzify plugin and is running version 1.2.5 or earlier. Check your plugin version immediately and upgrade if necessary.
How do I fix CVE-2024-4742 in Youzify WordPress Plugin?
Upgrade the Youzify plugin to the latest available version. If upgrading is not immediately possible, implement a WAF rule to filter malicious SQL injection attempts.
Is CVE-2024-4742 being actively exploited?
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is a likely target for malicious actors. Continuous monitoring is advised.
Where can I find the official Youzify advisory for CVE-2024-4742?
Check the Youzify website and the WordPress plugin repository for the official advisory and updated version information.