CRITICALCVE-2024-30490CVSS 9.3

WordPress ProfileGrid plugin <= 5.7.8 - SQL Injection vulnerability

Q: What is CVE-2024-30490 — SQL Injection in ProfileGrid?

CVE-2024-30490 is a critical SQL Injection vulnerability affecting ProfileGrid versions up to 5.7.8. Attackers can inject malicious SQL code to potentially access or manipulate data.

Q: Am I affected by CVE-2024-30490 in ProfileGrid?

If you are using ProfileGrid version 5.7.8 or earlier, you are vulnerable. Check your plugin version and upgrade immediately.

Q: How do I fix CVE-2024-30490 in ProfileGrid?

Upgrade ProfileGrid to version 5.7.9 or later. This resolves the SQL Injection vulnerability.

Q: Is CVE-2024-30490 being actively exploited?

While no active exploitation campaigns have been confirmed, the CRITICAL severity suggests a high likelihood of exploitation attempts.

Q: Where can I find the official ProfileGrid advisory for CVE-2024-30490?

Refer to the official ProfileGrid website and WordPress plugin repository for the latest security advisories and updates.

翻译中…

平台

wordpress

组件

profilegrid-user-profiles-groups-and-communities

修复版本

5.7.9

AI Confidence: highNVDEPSS 14.4%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2024-30490 describes a SQL Injection vulnerability discovered in ProfileGrid, a WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the entire system. The vulnerability affects versions of ProfileGrid up to 5.7.8, and a patch is available in version 5.7.9.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

Successful exploitation of CVE-2024-30490 could allow an attacker to bypass authentication and execute arbitrary SQL queries against the database. This could lead to the theft of sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker could potentially modify or delete data, disrupt service, or even gain control of the underlying server. The impact is particularly severe given ProfileGrid's potential use in managing user profiles and sensitive business data.

利用背景翻译中…

CVE-2024-30490 was publicly disclosed on March 29, 2024. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of exploitation attempts. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.

哪些人处于风险中翻译中…

Organizations and individuals using ProfileGrid on WordPress sites, particularly those handling sensitive user data or relying on ProfileGrid for critical business processes, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/profilegrid/

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/profilegrid/ | grep SQL

• wordpress / composer / npm:

wp plugin list | grep profilegrid

• wordpress / composer / npm:

wp plugin update profilegrid

攻击时间线

2024-03-29Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

14.44% (94% 百分位)

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 无 — 无完整性影响。
Availability: 低 — 部分或间歇性拒绝服务。

受影响的软件

组件profilegrid-user-profiles-groups-and-communities

供应商Metagauss

影响范围修复版本

0.0.0 – 5.7.85.7.9

软件包信息

活跃安装数: 6K热门
插件评分: 4.6
需要WordPress版本: 3.5+
兼容至: 7.0
需要PHP版本: 7.4+

主页

弱点分类 (CWE)

CWE-89

时间线

已保留2024-03-27
发布日期2024-03-29
修改日期2024-08-08
EPSS 更新日期2026-04-02

披露后-22天发布补丁

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2024-30490 is to immediately upgrade ProfileGrid to version 5.7.9 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within your application code. While a WAF might offer some protection, it is not a substitute for patching the vulnerability. Regularly review and audit database access controls to minimize the potential impact of a successful attack.

修复方法翻译中…

Actualice el plugin ProfileGrid a la última versión disponible. La vulnerabilidad de inyección SQL permite la ejecución de comandos SQL arbitrarios. Se recomienda realizar la actualización lo antes posible para evitar posibles ataques.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2024-30490 — SQL Injection in ProfileGrid?

CVE-2024-30490 is a critical SQL Injection vulnerability affecting ProfileGrid versions up to 5.7.8. Attackers can inject malicious SQL code to potentially access or manipulate data.

Am I affected by CVE-2024-30490 in ProfileGrid?

If you are using ProfileGrid version 5.7.8 or earlier, you are vulnerable. Check your plugin version and upgrade immediately.

How do I fix CVE-2024-30490 in ProfileGrid?

Upgrade ProfileGrid to version 5.7.9 or later. This resolves the SQL Injection vulnerability.

Is CVE-2024-30490 being actively exploited?

While no active exploitation campaigns have been confirmed, the CRITICAL severity suggests a high likelihood of exploitation attempts.

Where can I find the official ProfileGrid advisory for CVE-2024-30490?

Refer to the official ProfileGrid website and WordPress plugin repository for the latest security advisories and updates.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE