CVE-2024-12023

Name of the Vulnerable Software and Affected Versions FULL – Cliente plugin for WordPress versions 3.1.5 through 3.1.25

Description The issue allows authenticated attackers with Subscriber-level access and above to perform SQL Injection via the formId parameter due to insufficient escaping and lack of preparation on existing SQL queries. This can be used to extract sensitive information from the database. The exploitation is only possible when the PRO version of the plugin is activated, along with Elementor Pro and Elementor CRM.

Recommendations For versions 3.1.5 through 3.1.25, as a temporary workaround, consider restricting access to the formId parameter in the affected API endpoint until a patch is available. Avoid using the formId parameter in queries until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.