平台
wordpress
组件
wp-recall
修复版本
16.26.6
CVE-2024-32709 describes a SQL Injection vulnerability discovered in the WP-Recall WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially compromising the database and gaining unauthorized access to sensitive information. The vulnerability impacts versions of WP-Recall up to and including 16.26.5. A patch is available in version 16.26.6.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. This includes the ability to read, modify, or delete any data stored within the database, such as user credentials, customer information, and sensitive business data. An attacker could also leverage this vulnerability to execute arbitrary commands on the server, potentially leading to a full system compromise. The blast radius extends to any data stored within the WordPress database, making this a high-impact vulnerability for organizations relying on WP-Recall.
CVE-2024-32709 was publicly disclosed on April 24, 2024. While no active exploitation campaigns have been confirmed, the CRITICAL severity and the ease of SQL Injection exploitation suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability is listed on the CISA KEV catalog, indicating a heightened risk.
Websites using the WP-Recall plugin, particularly those with sensitive data stored in their WordPress database, are at significant risk. Shared hosting environments where multiple WordPress installations share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/wp-recall/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-recall/ | grep SQLdisclosure
漏洞利用状态
EPSS
92.91% (100% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-32709 is to immediately upgrade the WP-Recall plugin to version 16.26.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable endpoints. Carefully review and sanitize all user inputs to prevent SQL injection attacks. Monitor WordPress logs for suspicious SQL queries or database activity.
Actualice el plugin WP-Recall a la última versión disponible. Si no hay una versión disponible, considere deshabilitar el plugin hasta que se publique una versión corregida. Consulte el sitio web del proveedor para obtener más información y actualizaciones.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-32709 is a critical SQL Injection vulnerability affecting the WP-Recall WordPress plugin, allowing attackers to inject malicious SQL code and potentially compromise the database.
You are affected if you are using WP-Recall version 16.26.5 or earlier. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WP-Recall plugin to version 16.26.6 or later. If immediate upgrade is not possible, implement a WAF rule and sanitize user inputs.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WP-Recall plugin's official website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。