HIGH🇬🇧 English

CVE-2024-3217

CVSS 8.8v3.1pub. 2024-04-05upd. 2026-04-08

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' parameters in all versions up to, and including, 1.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Wpdirectorykit Wp Directory Kit

    APP
    Wpdirectorykit
    < 1.3.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
SQLi
CWE
Referencje

Powiązane podatności

CVE-2025-13390CRITICAL10.0PL ✓ten sam produkt

Authentication bypass w WP Directory Kit — przejęcie konta admina

CVE-2023-2278CRITICAL9.8ten sam produkt

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and includi...

CVE-2024-37487HIGH7.1ten sam produkt

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in w...

CVE-2024-29774HIGH7.1ten sam produkt

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirect...

CVE-2023-41875MEDIUM5.3ten sam produkt

Missing Authorization vulnerability in wpdirectorykit.com WP Directory Kit allows Exploiting Incorrectly Confi...