Cyber Resilience

CVE-2024-12773

HighPublic PoC

Published: 27 January 2025

Published
27 January 2025
Modified
07 May 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 61.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12773 is a high-severity SQL Injection (CWE-89) vulnerability in Pulseextensions Altra Side Menu. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12773 is a SQL injection vulnerability (CWE-89) in the Altra Side Menu WordPress plugin through version 2.0. The flaw arises because the plugin does not sanitize and escape a parameter before incorporating it into a SQL statement, enabling unauthenticated SQL injection attacks when exploited by authorized users.

The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no user interaction required, but necessitates high privileges such as administrator access. An attacker with admin rights can inject malicious SQL payloads to achieve high-impact confidentiality, integrity, and availability compromises, potentially leading to full database compromise, data exfiltration, modification, or deletion.

For mitigation details, refer to the WPScan advisory at https://wpscan.com/vulnerability/fab64105-599f-49a4-b01d-c873ff34b590/.

EU & UK References

Vulnerability details

The Altra Side Menu WordPress plugin through 2.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing WordPress plugin directly enables exploitation of the web application over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-22850Shared CWE-89
CVE-2024-12404Shared CWE-89
CVE-2024-13474Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89

Affected Assets

pulseextensions
altra side menu
≤ 2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires information input validation at system entry points, directly preventing SQL injection by sanitizing and escaping parameters before SQL statement incorporation.

prevent

SI-2 mandates identification, reporting, and correction of system flaws, comprehensively mitigating this SQL injection vulnerability through timely plugin patching.

detect

RA-5 requires vulnerability monitoring and scanning that identifies SQL injection flaws like CVE-2024-12773 in WordPress plugins.

References