Cyber Resilience

CVE-2024-3552

CriticalPublic PoC

Published: 13 June 2024

Published
13 June 2024
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9335 99.8th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3552 is a critical-severity SQL Injection (CWE-89) vulnerability in Salephpscripts Web Directory Free. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Web Directory Free WordPress plugin before version 1.7.0 is affected by an unauthenticated SQL injection vulnerability tracked as CVE-2024-3552. The root cause is missing sanitization and escaping of a parameter that is concatenated into a SQL statement inside an AJAX action reachable without authentication, enabling attackers to use UNION, Time-Based, and Error-Based injection techniques. The flaw is classified under CWE-89 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can send crafted requests to the exposed AJAX endpoint and extract, modify, or delete database contents, potentially leading to full site takeover. Because the action requires no credentials or user interaction, exploitation can be performed at scale against any site running an affected version.

WPScan published a vulnerability report detailing the issue at the referenced advisory URL. The EPSS score currently stands at 0.9335 with a recorded peak of 0.9358, indicating a high likelihood of exploitation attempts.

EU & UK References

Vulnerability details

The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION,…

more

Time-Based and Error-Based.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

salephpscripts
web directory free
≤ 1.7.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References