Plataforma
wordpress
Componente
et-core-plugin
Corrigido em
5.3.6
CVE-2024-33551 describes a SQL Injection vulnerability within the XStore Core WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the entire WordPress installation. The vulnerability impacts versions of XStore Core up to and including 5.3.5, with a fix available in version 5.3.6.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the underlying database. They could extract sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker could modify or delete data, leading to data loss and disruption of service. Depending on the database configuration and WordPress setup, the attacker might also be able to execute arbitrary commands on the server, leading to a full system compromise. The potential blast radius extends to all users and data stored within the affected WordPress site.
This vulnerability has been publicly disclosed and assigned a CRITICAL CVSS score. While no active exploitation campaigns have been definitively linked to CVE-2024-33551 at the time of writing, the ease of exploitation and the potential impact make it a high-priority target. It is likely to be added to CISA KEV in the near future. Public proof-of-concept exploits are expected to emerge shortly after disclosure.
Websites using the XStore Core WordPress plugin, particularly those running older versions (≤5.3.5), are at significant risk. Shared hosting environments where multiple WordPress sites share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with weak database security configurations are also at increased risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/xstore-core/• generic web:
curl -I https://example.com/wp-content/plugins/xstore-core/ | grep SQLdisclosure
Status do Exploit
EPSS
0.59% (percentil 69%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the XStore Core plugin to version 5.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with SQL Injection protection rules. Carefully review and sanitize all user inputs to prevent malicious SQL code from being injected. Monitor WordPress logs for suspicious SQL queries that might indicate an attempted exploitation. After upgrading, verify the fix by attempting a SQL injection attack on the vulnerable endpoint and confirming that it is blocked.
Actualice el plugin XStore Core a la última versión disponible. La vulnerabilidad de inyección SQL ha sido corregida en versiones posteriores a la 5.3.5. Si no puede actualizar inmediatamente, considere deshabilitar el plugin temporalmente.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-33551 is a critical SQL Injection vulnerability affecting the XStore Core WordPress plugin, allowing attackers to inject malicious SQL code and potentially access sensitive data.
If you are using XStore Core version 5.3.5 or earlier, you are vulnerable. Immediately check your plugin version and upgrade if necessary.
Upgrade the XStore Core plugin to version 5.3.6 or later. If immediate upgrade is not possible, implement a WAF and sanitize user inputs.
While no confirmed active exploitation campaigns are currently known, the vulnerability's severity and ease of exploitation suggest it is a high-priority target and exploitation is likely.
Refer to the official XStore Core website and WordPress plugin repository for the latest security advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.