CVE-2024-12428

Published Dec 25, 2024

Last updated 2 months ago

CVSS high 7.5

Overview

Description: The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'order[user_login][dir]' parameter in all versions up to, and including, 5.5.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source: security@wordfence.com
NVD status: Received

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

Weaknesses

security@wordfence.com: CWE-89

Hype score: Not currently trending

CVE-2024-12428 (CVSS:7.5, HIGH) is Awaiting Analysis. The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via t..https://t.co/58QDdJtW8I #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
30 Dec 2024
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE Alert: CVE-2024-12428 - https://t.co/35spnIk5cs #OSINT #ThreatIntel #CyberSecurity #cve_2024_12428
@RedPacketSec
26 Dec 2024
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-12428 SQL Injection in WP Data Access Plugin for WordPress (All Versions ≤ 5.5.22) The WP Data Access – App, Table, Form and Chart Builder plugin for WordPress has an SQL Injection vulnerability. This is... https://t.co/coxKdBKtJe
@VulmonFeeds
25 Dec 2024
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2024-12428 The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'order[user_login][dir]' parameter in all versions up to, and including 5.5.22 due to insufficient escaping on the user supplied parameter
@Infosec_techs
25 Dec 2024
5 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-12428 The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'order[user_login][dir]' parameter in all v… https://t.co/llRQ1mejmp
@CVEnew
25 Dec 2024
678 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes

References

https://nvd.nist.gov/vuln/detail/CVE-2024-12428
https://plugins.trac.wordpress.org/changeset/3210150/wp-data-access/tags/5.5.23/WPDataAccess/Data_Tables/WPDA_Data_Tables.php?old=3206494&old_path=wp-data-access%2Ftags%2F5.5.22%2FWPDataAccess%2FData_Tables%2FWPDA_Data_Tables.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/a1708d6e-14f5-418f-81eb-f9269159b5b1?source=cve

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

References