Summary: A critical SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress could expose over 100,000 websites to attacks, allowing unauthenticated users to execute arbitrary SQL queries. The flaw, tracked as CVE-2024-43917, remains unpatched in the latest version of the plugin, prompting urgent action from site administrators.
Threat Actor: Unknown | unknown
Victim: WordPress site owners | WordPress site owners
Key Point :
- Vulnerability allows attackers to execute arbitrary SQL queries on affected sites.
- The flaw has a CVSS score of 9.3, indicating its critical severity.
- Site owners are advised to deactivate and delete the plugin immediately.
- The vulnerability remains unpatched in version 2.8.2 of the plugin.
- Technical details published by Ananda Dhakal from Patchstack emphasize the need for urgent action.
A critical security vulnerability has been discovered in the widely-used WordPress plugin, TI WooCommerce Wishlist, potentially exposing over 100,000 websites to malicious attacks. The flaw, tracked as CVE-2024-43917 with a CVSS score of 9.3, allows unauthenticated users to execute arbitrary SQL queries, potentially granting them full control over affected websites.
The vulnerability stems from a SQL injection flaw within the pluginβs code. Attackers can exploit this vulnerability to bypass security measures and manipulate the database of the WordPress site, leading to data breaches, defacements, and even complete site takeover.
As of the latest version of the plugin, 2.8.2, the vulnerability remains unpatched, leaving site administrators and owners with limited options to secure their websites. In the meantime, Ananda Dhakal from Patchstack has published the technical details surrounding this flaw, which further highlights its severity and the urgent need for action.
If you are using the TI WooCommerce Wishlist plugin on your WordPress site, it is strongly recommended to deactivate and delete the plugin immediately. Without a patched version, continuing to use the plugin exposes your site to significant risk, potentially allowing attackers to compromise the database and access sensitive information.
For further details and technical insights, visit Patchstackβs advisory on CVE-2024-43917.