平台
wordpress
组件
wpvivid-backuprestore
修复版本
0.9.69
CVE-2024-1981 is a critical SQL Injection vulnerability affecting the Migration, Backup, Staging – WPvivid plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration. It impacts versions 0.9.68. A patch is expected from the vendor; implement temporary mitigations until the update is available.
The SQL Injection vulnerability in WPvivid allows attackers to manipulate database queries through the 'table_prefix' parameter. Successful exploitation could enable attackers to extract sensitive information such as usernames, passwords, customer data, and other confidential information stored within the WordPress database. Depending on the database structure and permissions, an attacker might even be able to modify or delete data, leading to a complete compromise of the WordPress site. This vulnerability is particularly concerning given the plugin's function of managing backups and migrations, which often contain highly sensitive data.
CVE-2024-1981 was publicly disclosed on 2024-02-29. Public proof-of-concept exploits are likely to emerge quickly given the ease of exploitation associated with SQL Injection vulnerabilities. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
WordPress websites utilizing the WPvivid plugin, particularly those handling sensitive customer data or financial information, are at significant risk. Shared hosting environments where multiple WordPress sites share a database are especially vulnerable, as a compromise of one site could potentially expose data from others.
• wordpress / composer / npm:
grep -r "table_prefix" /var/www/html/wp-content/plugins/wpvivid/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wpvivid/ | grep Server• wordpress / composer / npm:
wp plugin list | grep wpvivid• wordpress / composer / npm:
wp plugin status wpvividdisclosure
漏洞利用状态
EPSS
2.58% (85% 百分位)
CVSS 向量
The primary mitigation is to immediately upgrade the WPvivid plugin to a patched version as soon as it becomes available. Until the patch is deployed, consider implementing temporary workarounds. Restrict access to the plugin's administrative interface to authorized personnel only. Implement a Web Application Firewall (WAF) with SQL Injection protection rules to filter potentially malicious requests. Regularly review WordPress database access logs for suspicious activity. While a direct detection signature is difficult, monitor database logs for unusual SQL queries originating from the plugin’s directory.
Actualice el plugin Migration, Backup, Staging – WPvivid a la última versión disponible. La vulnerabilidad de inyección SQL en el parámetro 'table_prefix' ha sido corregida en versiones posteriores a la 0.9.68.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-1981 is a critical SQL Injection vulnerability in the WPvivid WordPress plugin, allowing attackers to extract sensitive data from the database through the 'table_prefix' parameter.
If you are using WPvivid version 0.9.68, you are vulnerable. Check your plugin version and upgrade immediately.
Upgrade to the latest version of the WPvivid plugin as soon as a patch is released by the vendor. Until then, implement temporary mitigations like WAF rules and access restrictions.
Given the critical severity and ease of exploitation, it is highly probable that CVE-2024-1981 is already being targeted by attackers. Monitor your systems closely.
Check the WPvivid plugin website and WordPress.org plugin repository for the official security advisory and patch information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。