Cyber Resilience

CVE-2024-33559

Critical

Published: 29 April 2024

Published
29 April 2024
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0672 91.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33559 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2024-33559 is an SQL injection issue (CWE-89) caused by improper neutralization of special elements in SQL commands. It affects the 8theme XStore WordPress theme in all versions through 9.3.5 and is rated 9.3 on CVSS 3.1 with network attack vector, low complexity, no privileges or user interaction required, changed scope, high confidentiality impact, and low availability impact.

Unauthenticated remote attackers can exploit the flaw to inject arbitrary SQL commands, enabling extraction of sensitive data and limited disruption to affected components or related systems.

Patchstack advisories identify the issue as an unauthenticated SQL injection vulnerability in XStore 9.3.5. The associated EPSS score has remained flat at 0.0672 with no material rise after disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References