CVE-2024-33559
Published: 29 April 2024
Summary
CVE-2024-33559 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-33559 is an SQL injection issue (CWE-89) caused by improper neutralization of special elements in SQL commands. It affects the 8theme XStore WordPress theme in all versions through 9.3.5 and is rated 9.3 on CVSS 3.1 with network attack vector, low complexity, no privileges or user interaction required, changed scope, high confidentiality impact, and low availability impact.
Unauthenticated remote attackers can exploit the flaw to inject arbitrary SQL commands, enabling extraction of sensitive data and limited disruption to affected components or related systems.
Patchstack advisories identify the issue as an unauthenticated SQL injection vulnerability in XStore 9.3.5. The associated EPSS score has remained flat at 0.0672 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31296
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.