Cyber Resilience

CVE-2024-32128

Critical

Published: 15 April 2024

Published
15 April 2024
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.1104 93.6th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32128 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-32128 is an unauthenticated SQL injection vulnerability arising from improper neutralization of special elements in SQL commands, tracked as CWE-89. It affects the Realtyna Organic IDX plugin for WordPress, with all versions through 4.14.4 impacted. The flaw carries a CVSS 3.1 score of 9.3 reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope.

Remote attackers without authentication can exploit the issue to extract sensitive data with high confidentiality impact while also causing limited availability degradation. The vulnerability is reachable directly over the network due to the plugin's exposure in typical WordPress deployments.

Patchstack advisories document the flaw as an unauthenticated SQL injection in the real-estate-listing-realtyna-wpl component and point to the need for an update beyond version 4.14.4. The EPSS score reached a peak of 0.1785 after disclosure before settling at the current value of 0.1104, indicating a material rise in exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Realtyna Realtyna Organic IDX plugin.This issue affects Realtyna Organic IDX plugin: from n/a through 4.14.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References