PT-2024-37962 · WordPress · Truebooker
Project Black
·
Published
2024-09-07
·
Updated
2024-09-11
·
CVE-2024-6924
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
The TrueBooker WordPress plugin versions prior to 1.0.3
Description
The issue is related to a SQL injection vulnerability. It occurs because the plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users.
Recommendations
For versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action to prevent exploitation.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Truebooker