CVE-2024-43918
Published: 29 August 2024
Summary
CVE-2024-43918 is a critical-severity SQL Injection (CWE-89) vulnerability in Woobewoo Product Table. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-43918 is an unauthenticated SQL injection vulnerability (CWE-89) affecting the WBW Product Table PRO WordPress plugin, versions through 1.9.4. The flaw stems from improper neutralization of special elements in SQL commands within the plugin's product table functionality, allowing crafted input to alter query logic.
Remote attackers with no credentials or user interaction can exploit the issue over the network. Successful exploitation permits arbitrary SQL query execution, which under the reported CVSS 10.0 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) can result in full read/write access to the database, potential privilege escalation, and impact to confidentiality, integrity, and availability with changed scope.
The Patchstack advisory details the vulnerability as unauthenticated arbitrary SQL query execution and provides the affected plugin versions; operators should apply the vendor-supplied update beyond 1.9.4 to remediate. The associated EPSS score of 0.4894 indicates substantial exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40568
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WBW Product Table PRO allows SQL Injection.This issue affects WBW Product Table PRO: from n/a through 1.9.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.