平台
wordpress
组件
woocommerce-products-filter
修复版本
1.3.7
CVE-2024-6457 describes a critical SQL Injection vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and compromise of the WordPress database. The vulnerability impacts versions up to and including 1.3.6. A patch is available; users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in HUSKY – Products Filter Professional for WooCommerce allows attackers to manipulate database queries through the ‘woof_author’ parameter. Successful exploitation could enable attackers to extract sensitive information such as user credentials, customer data, order details, and potentially even gain administrative access to the WordPress site. The impact is particularly severe as the vulnerability is unauthenticated, meaning an attacker does not need valid login credentials to exploit it. This could lead to a complete data breach and compromise of the entire WordPress installation, similar to other SQL Injection attacks that have resulted in significant data loss and reputational damage.
CVE-2024-6457 was publicly disclosed on 2024-07-16. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the HUSKY – Products Filter Professional for WooCommerce plugin, particularly those running versions prior to 1.3.6, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "woof_author" /var/www/html/wp-content/plugins/husky-products-filter-for-woocommerce/• generic web:
curl -I 'https://your-wordpress-site.com/?woof_author='; # Check for SQL syntax in response headersdisclosure
漏洞利用状态
EPSS
8.48% (92% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-6457 is to upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a version that includes the security fix. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL syntax in the ‘woof_author’ parameter. Additionally, review and harden database user permissions to limit the potential impact of a successful injection. After upgrade, confirm the vulnerability is resolved by attempting a test injection (carefully!) and verifying that it is properly sanitized.
Actualice el plugin HUSKY – Products Filter Professional for WooCommerce a la última versión disponible. La vulnerabilidad de inyección SQL se ha corregido en versiones posteriores a la 1.3.6. Esto evitará que atacantes no autenticados exploten la vulnerabilidad para extraer información sensible de la base de datos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-6457 is a critical SQL Injection vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to extract data.
You are affected if you are using HUSKY – Products Filter Professional for WooCommerce version 1.3.6 or earlier.
Upgrade the plugin to the latest version, which includes the security fix. Consider a WAF as a temporary mitigation.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target.
Refer to the official HUSKY website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。