Cyber Resilience

CVE-2024-43918

Critical

Published: 29 August 2024

Published
29 August 2024
Modified
10 October 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4894 97.8th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43918 is a critical-severity SQL Injection (CWE-89) vulnerability in Woobewoo Product Table. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-43918 is an unauthenticated SQL injection vulnerability (CWE-89) affecting the WBW Product Table PRO WordPress plugin, versions through 1.9.4. The flaw stems from improper neutralization of special elements in SQL commands within the plugin's product table functionality, allowing crafted input to alter query logic.

Remote attackers with no credentials or user interaction can exploit the issue over the network. Successful exploitation permits arbitrary SQL query execution, which under the reported CVSS 10.0 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) can result in full read/write access to the database, potential privilege escalation, and impact to confidentiality, integrity, and availability with changed scope.

The Patchstack advisory details the vulnerability as unauthenticated arbitrary SQL query execution and provides the affected plugin versions; operators should apply the vendor-supplied update beyond 1.9.4 to remediate. The associated EPSS score of 0.4894 indicates substantial exploitation interest.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WBW Product Table PRO allows SQL Injection.This issue affects WBW Product Table PRO: from n/a through 1.9.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

woobewoo
product table
≤ 1.9.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References