Menu

CVE-2024-11372 β€” SQL Injection

WordPress Plugin Connexion Logs β€” Discovered by Seckhmet

Vulnerability Information

CVE IDCVE-2024-11372
TypeSQL Injection (SQLi)
Affected ComponentWordPress Plugin Connexion Logs
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score7.2 β€” High
Discovered bySeckhmet

Description

A SQL Injection was discovered in the WordPress plugin Connexion Logs, a tool designed to log connections on WordPress sites. The flaw allows an attacker with administrator rights to manipulate SQL queries, resulting in a critical impact on confidentiality, integrity and availability.

A plugin designed to improve security containing a critical vulnerability itself perfectly illustrates the need to regularly audit the entire WordPress ecosystem, including security tools.

CVSS Analysis

  • AV:N β€” Network vector
  • AC:L β€” Low attack complexity
  • PR:H β€” High privileges required
  • UI:N β€” No user interaction
  • C:H / I:H / A:H β€” Critical impact on all three pillars

Recommendations

Update or disable the Connexion Logs plugin. Implement continuous WordPress plugin monitoring with Seckhmet to be notified in real time of any new vulnerability affecting your perimeter.