Plataforma
wordpress
Componente
profilegrid-user-profiles-groups-and-communities
Corrigido em
5.7.9
CVE-2024-30490 describes a SQL Injection vulnerability discovered in ProfileGrid, a WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the entire system. The vulnerability affects versions of ProfileGrid up to 5.7.8, and a patch is available in version 5.7.9.
Successful exploitation of CVE-2024-30490 could allow an attacker to bypass authentication and execute arbitrary SQL queries against the database. This could lead to the theft of sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker could potentially modify or delete data, disrupt service, or even gain control of the underlying server. The impact is particularly severe given ProfileGrid's potential use in managing user profiles and sensitive business data.
CVE-2024-30490 was publicly disclosed on March 29, 2024. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of exploitation attempts. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Organizations and individuals using ProfileGrid on WordPress sites, particularly those handling sensitive user data or relying on ProfileGrid for critical business processes, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/profilegrid/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/profilegrid/ | grep SQL• wordpress / composer / npm:
wp plugin list | grep profilegrid• wordpress / composer / npm:
wp plugin update profilegriddisclosure
Status do Exploit
EPSS
14.44% (percentil 94%)
Vetor CVSS
The primary mitigation for CVE-2024-30490 is to immediately upgrade ProfileGrid to version 5.7.9 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within your application code. While a WAF might offer some protection, it is not a substitute for patching the vulnerability. Regularly review and audit database access controls to minimize the potential impact of a successful attack.
Actualice el plugin ProfileGrid a la última versión disponible. La vulnerabilidad de inyección SQL permite la ejecución de comandos SQL arbitrarios. Se recomienda realizar la actualización lo antes posible para evitar posibles ataques.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-30490 is a critical SQL Injection vulnerability affecting ProfileGrid versions up to 5.7.8. Attackers can inject malicious SQL code to potentially access or manipulate data.
If you are using ProfileGrid version 5.7.8 or earlier, you are vulnerable. Check your plugin version and upgrade immediately.
Upgrade ProfileGrid to version 5.7.9 or later. This resolves the SQL Injection vulnerability.
While no active exploitation campaigns have been confirmed, the CRITICAL severity suggests a high likelihood of exploitation attempts.
Refer to the official ProfileGrid website and WordPress plugin repository for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.