CVE-2024-7827

Name of the Vulnerable Software and Affected Versions The Shopping Cart & eCommerce Store plugin for WordPress versions up to, and including, 5.7.2

Description The issue is related to boolean-based SQL Injection via the model number parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Although some sources mention unauthenticated remote exploitation, the primary description indicates that authenticated attackers with Contributor-level access and above can exploit this issue.

Recommendations For versions up to, and including, 5.7.2, update the plugin to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the model number parameter to minimize the risk of exploitation. Additionally, review logs for signs of compromise.