Platform
wordpress
Component
notificationx
Opgelost in
2.8.3
CVE-2024-1698 describes a critical SQL Injection vulnerability affecting the NotificationX plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of the plugin up to and including 2.8.2. A patch is available to address this issue.
The SQL Injection vulnerability in NotificationX allows attackers to directly manipulate database queries. An attacker could exploit this to extract sensitive information such as user credentials, customer data, order details, and potentially even WordPress administrative user information. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. The lack of authentication required to trigger the vulnerability significantly increases the attack surface, making it a high-priority concern. This vulnerability shares similarities with other SQL Injection flaws where attackers can bypass security controls and gain unauthorized access to backend systems.
CVE-2024-1698 was publicly disclosed on February 27, 2024. Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and ease of exploitation. The high CVSS score (9.8) indicates a critical risk. Monitor CISA and vendor advisories for updates and potential exploitation campaigns.
WordPress websites utilizing the NotificationX plugin, particularly those running versions 2.8.2 or earlier, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with sensitive customer data or e-commerce functionality are also high-priority targets.
• wordpress / composer / npm:
grep -r "SELECT.*FROM.*WHERE.*type=" /var/www/html/wp-content/plugins/notificationx/• generic web:
curl -I 'https://your-wordpress-site.com/?type=evil' | grep 'SQL injection'• wordpress / composer / npm:
wp plugin list --status=inactive | grep notificationxdisclosure
Exploit Status
EPSS
93.74% (100% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-1698 is to immediately upgrade the NotificationX plugin to a version that includes the security patch. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the 'type' parameter. Additionally, review and harden WordPress database user permissions to limit the potential damage from a successful attack. Monitor WordPress access logs for suspicious SQL queries.
Actualice el plugin NotificationX a la última versión disponible. La versión 2.8.3 o superior corrige la vulnerabilidad de inyección SQL. Esto evitará que atacantes no autenticados puedan extraer información sensible de la base de datos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-1698 is a critical SQL Injection vulnerability in the NotificationX WordPress plugin, allowing attackers to extract data from the database.
Yes, if you are using NotificationX plugin version 2.8.2 or earlier, you are vulnerable to this SQL Injection flaw.
Upgrade the NotificationX plugin to the latest version that contains the security patch. Consider WAF rules as a temporary workaround.
While no active exploitation has been confirmed, the high severity and ease of exploitation suggest it is likely to be targeted soon.
Check the NotificationX plugin website and WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.