Menu

CVE-2024-11267 β€” Critical SQL Injection (CVSS 8.8)

WordPress Plugin JSP Store Locator β€” Discovered by Seckhmet

Vulnerability Information

CVE IDCVE-2024-11267
TypeSQL Injection (SQLi)
Affected ComponentWordPress Plugin JSP Store Locator
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score8.8 β€” High
Discovered bySeckhmet

Description

A high-severity SQL Injection (CVSS 8.8) was discovered in the WordPress plugin JSP Store Locator. This vulnerability is particularly dangerous because it is exploitable with low user privileges (PR:L), without victim interaction, and results in a triple critical impact on confidentiality, integrity and availability.

Any registered user on a WordPress site using this plugin can potentially read, modify or delete all data in the database, or even take the site offline.

CVSS Analysis

  • AV:N β€” Network vector: remotely exploitable without physical access
  • AC:L β€” Low complexity: straightforward exploitation
  • PR:L β€” Low privileges sufficient (subscriber, author, etc.)
  • UI:N β€” No victim action required
  • S:U β€” Unchanged scope
  • C:H / I:H / A:H β€” Critical impact on all three CIA pillars

Recommendations

Immediately update or uninstall the JSP Store Locator plugin. Check database logs for any past exploitation. Deploy a continuous WordPress monitoring solution to anticipate this type of threat as soon as a CVE is published.