Plataforma
wordpress
Componente
wp-travel-engine
Corrigido em
5.7.10
CVE-2024-30502 describes a SQL Injection vulnerability affecting WP Travel Engine versions up to 5.7.9. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability was published on March 29, 2024, and a fix is available in version 5.7.10.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and authorization mechanisms, granting them access to the underlying database. This could lead to the theft of sensitive user data, including personal information, booking details, and payment information. Furthermore, an attacker could potentially modify or delete data, disrupting the functionality of the WP Travel Engine plugin and impacting the website's operations. The impact is particularly severe given the potential for widespread data compromise and service disruption.
This vulnerability is considered critical due to the ease of exploitation and potential impact. While no public exploits have been widely reported, the SQL Injection nature of the vulnerability makes it a high-priority target for malicious actors. The vulnerability was disclosed on March 29, 2024, and is tracked by the NVD. There is no indication of this being added to the CISA KEV catalog at this time.
Websites utilizing the WP Travel Engine plugin, particularly those running versions prior to 5.7.10, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites that have not implemented robust input validation and sanitization practices are also at increased risk.
• wordpress / composer / npm:
grep -r "wp_query('" | "SELECT * FROM" "/var/www/html/wp-content/plugins/wp-travel-engine/""• generic web:
curl -I https://your-website.com/wp-admin/admin.php?page=wp-travel-engine-settings&action=update_settings&field=some_input' OR 1=1 --silent | grep -i "200 ok"disclosure
patch
Status do Exploit
EPSS
18.43% (percentil 95%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-30502 is to immediately upgrade WP Travel Engine to version 5.7.10 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent malicious SQL code from being injected. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin. After upgrading, confirm the fix by attempting a SQL Injection attack on the vulnerable endpoint and verifying that it is blocked.
Actualice el plugin WP Travel Engine a la última versión disponible. La vulnerabilidad de inyección SQL ciega no autenticada se ha corregido en versiones posteriores a la 5.7.9. Para actualizar, vaya al panel de administración de WordPress, luego a la sección de Plugins y busque WP Travel Engine. Haga clic en 'Actualizar ahora'.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-30502 is a critical SQL Injection vulnerability affecting WP Travel Engine versions up to 5.7.9, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using WP Travel Engine version 5.7.9 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade WP Travel Engine to version 5.7.10 or later. Consider a WAF as an interim measure if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's nature makes it a likely target for malicious actors. Proactive mitigation is highly recommended.
Refer to the WP Travel Engine website and WordPress plugin repository for the latest security advisories and updates related to CVE-2024-30502.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.