Platform
wordpress
Component
userswp
Opgelost in
1.2.11
CVE-2024-6265 is a critical SQL Injection vulnerability affecting the UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration. The vulnerability impacts versions up to and including 1.2.10. A patch is available; users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in UsersWP allows attackers to manipulate database queries through the uwpsortby parameter. Successful exploitation could enable attackers to extract sensitive information stored within the WordPress database, including user credentials (usernames and passwords), user profile data, and potentially other application-specific data. Depending on the database schema and permissions, an attacker might also be able to modify or delete data, leading to a complete compromise of the WordPress site. This vulnerability is particularly concerning given the plugin's function of managing user registration and profiles, which often contain highly sensitive personal information.
CVE-2024-6265 was publicly disclosed on June 29, 2024. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation if left unpatched. It is recommended to prioritize remediation efforts. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
WordPress websites utilizing the UsersWP plugin, particularly those with user registration and profile features, are at risk. Shared hosting environments where multiple WordPress sites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites using older, unpatched versions of the plugin are at the highest risk.
• wordpress / composer / npm:
grep -r "uwp_sort_by" /var/www/html/wp-content/plugins/userswp/• generic web:
curl -I https://your-wordpress-site.com/?uwp_sort_by=test' OR 1=1 --silent | grep -i "SQL injection"• wordpress / composer / npm:
wp plugin list | grep userswpdisclosure
Exploit Status
EPSS
32.41% (97% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-6265 is to upgrade the UsersWP plugin to a version that addresses the SQL Injection vulnerability. Check the plugin developer's website or the WordPress plugin repository for the latest version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the uwpsortby parameter using a WordPress firewall (WAF) or by implementing input validation and sanitization within the plugin's code (if feasible). Monitor WordPress access logs for suspicious SQL queries targeting the uwpsortby parameter. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload through the uwpsortby parameter and verifying that it is properly sanitized.
Actualice el plugin UsersWP a la última versión disponible. La versión corregida incluye medidas de seguridad para prevenir la inyección SQL.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-6265 is a critical SQL Injection vulnerability in the UsersWP plugin for WordPress, allowing attackers to extract data from the database via the ‘uwpsortby’ parameter.
You are affected if you are using UsersWP plugin versions 1.2.10 or earlier. Check your plugin version and upgrade immediately.
Upgrade the UsersWP plugin to the latest version available on the WordPress plugin repository. Consider temporary WAF rules if immediate upgrade is not possible.
While no public exploits are currently available, the CRITICAL severity suggests a high likelihood of exploitation if left unpatched. Monitor for any signs of activity.
Check the UsersWP plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.