CVE-2024-30502
Published: 29 March 2024
Summary
CVE-2024-30502 is a critical-severity SQL Injection (CWE-89) vulnerability in Wptravelengine Wp Travel Engine. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-30502 is an unauthenticated blind SQL injection vulnerability, tracked as CWE-89, that affects the WP Travel Engine WordPress plugin in all versions through 5.7.9. The flaw stems from improper neutralization of special elements in SQL commands and carries a CVSS 3.1 score of 9.3, reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high confidentiality impact plus low availability impact.
An unauthenticated attacker can send crafted requests over the network to exploit the injection, allowing extraction of sensitive data from the database without authentication. The vulnerability enables blind SQL techniques that can lead to substantial information disclosure while causing limited service disruption.
Advisories published by Patchstack identify the issue as an unauthenticated blind SQL injection in the specified plugin versions and provide the primary reference for tracking the flaw.
EPSS for the CVE rose from lower values to a peak of 0.3748 on 2026-03-13 before receding to the current score of 0.1843, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-28422
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.