Platform
wordpress
Component
woo-payment-gateway-for-piraeus-bank
Opgelost in
1.6.6
CVE-2024-0610 describes a time-based blind SQL Injection vulnerability discovered in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration. The vulnerability impacts versions up to and including 1.6.5.1. A patch is expected from the vendor.
The SQL Injection vulnerability in the Piraeus Bank WooCommerce Payment Gateway allows attackers to bypass authentication and directly manipulate database queries. By injecting carefully crafted SQL statements through the 'MerchantReference' parameter, an attacker can extract sensitive information stored within the database. This could include customer data, transaction details, and potentially even administrative credentials. Successful exploitation could lead to significant data breaches and compromise the integrity of the entire WooCommerce store. The blind nature of the injection means attackers must use time-based techniques to extract data, but this does not significantly reduce the risk.
CVE-2024-0610 was publicly disclosed on February 17, 2024. While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WooCommerce store owners utilizing the Piraeus Bank WooCommerce Payment Gateway plugin, particularly those running versions prior to 1.6.5.1, are at significant risk. Shared hosting environments where multiple WordPress sites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/wordpress/wp-content/plugins/piraeus-bank-woocommerce-payment-gateway/• generic web:
curl -I 'https://your-wordpress-site.com/?MerchantReference='; # Check for SQL errors in response headers• wordpress / composer / npm:
wp plugin list --status=inactive | grep piraeus-bank-woocommerce-payment-gateway # Check if plugin is disableddisclosure
Exploit Status
EPSS
0.48% (65% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-0610 is to immediately upgrade the Piraeus Bank WooCommerce Payment Gateway plugin to a patched version when available. Until a patch is released, consider disabling the plugin entirely to prevent potential exploitation. As a temporary workaround, implement strict input validation and sanitization on the 'MerchantReference' parameter, ensuring that only expected characters are allowed. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide an additional layer of defense. Monitor WordPress access logs for suspicious SQL queries related to the plugin.
Actualice el plugin Piraeus Bank WooCommerce Payment Gateway a la última versión disponible. La vulnerabilidad de inyección SQL fue corregida en versiones posteriores a la 1.6.5.1. Consulte la página del plugin en el repositorio de WordPress para obtener la versión más reciente.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-0610 is a critical SQL Injection vulnerability affecting the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress versions up to 1.6.5.1, allowing attackers to extract sensitive data.
If you are using the Piraeus Bank WooCommerce Payment Gateway plugin and are running a version equal to or less than 1.6.5.1, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of the Piraeus Bank WooCommerce Payment Gateway plugin as soon as it becomes available. Until then, disable the plugin or implement input validation.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high risk of exploitation.
Refer to the official Piraeus Bank WooCommerce Payment Gateway plugin documentation and WordPress security announcements for updates and advisories related to CVE-2024-0610.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.