CVE-2024-27956

Published Mar 21, 2024

Last updated 2 months ago

WordPress

ValvePress

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-27956 is an SQL Injection vulnerability affecting the WordPress Automatic plugin by ValvePress, specifically versions up to 3.92.0. The vulnerability stems from improper neutralization of special elements used in an SQL command. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized access to websites, creation of admin-level user accounts, uploading malicious files, and ultimately, taking full control of affected sites. It has been reported that attackers are actively exploiting this vulnerability.

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
Source: audit@patchstack.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

audit@patchstack.com: CWE-89

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 27

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:valvepress:automatic:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BCDB3E1F-7944-4923-9C51-1BC930BD8EB9",
            "versionEndIncluding": "3.92.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]