CVE-2024-49333
Published: 21 January 2025
Summary
CVE-2024-49333 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-49333 is an SQL Injection vulnerability (CWE-89), resulting from improper neutralization of special elements used in an SQL command. It affects the Hero Mega Menu - Responsive WordPress Menu Plugin in all versions from n/a through 1.16.5.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L). Low-privileged authenticated users, such as WordPress contributors, can exploit it remotely with low complexity and no user interaction required. Exploitation enables high confidentiality impact, potentially allowing data extraction across the changed scope, alongside low availability disruption.
Patchstack advisories document the issue and provide details on the vulnerability; see https://patchstack.com/database/wordpress/plugin/hmenu/vulnerability/wordpress-hero-menu-plugin-1-16-5-sql-injection-vulnerability-2?_s_id=cve for mitigation recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43682
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affects Hero Mega Menu - Responsive WordPress Menu Plugin: from n/a through…
more
1.16.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in an internet-accessible WordPress plugin directly enables remote exploitation of a public-facing web application (T1190) by low-privileged authenticated users, resulting in unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of special elements in information inputs to prevent SQL injection attacks like CVE-2024-49333.
Mandates identification, reporting, and correction of system flaws, including patching the vulnerable Hero Mega Menu WordPress plugin affected by this SQL injection.
Vulnerability scanning identifies SQL injection flaws like CVE-2024-49333 in plugins for timely remediation.