CVE-2024-49666
Published: 21 January 2025
Summary
CVE-2024-49666 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-49666 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the ARPrice WordPress plugin developed by reputeinfosystems. The issue impacts all versions of ARPrice from n/a through 4.1.3 inclusive.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited remotely over the network with low complexity by low-privileged users without requiring user interaction. Successful exploitation enables high-impact confidentiality violations across scopes, such as extracting sensitive data from the database, alongside low availability impact.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-sql-injection-vulnerability?_s_id=cve, provide details on the vulnerability in the WordPress ARPrice plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43686
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in reputeinfosystems ARPrice arprice allows SQL Injection.This issue affects ARPrice: from n/a through <= 4.1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables remote exploitation of web application (T1190) for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of all information inputs at entry points, directly preventing SQL injection by neutralizing special elements before they reach SQL commands in the ARPrice plugin.
SI-2 mandates timely identification, reporting, and correction of flaws, directly addressing this SQL injection vulnerability through patching the ARPrice plugin to versions beyond 4.1.3.
SC-7 provides boundary protection via web application firewalls or similar mechanisms to monitor and block remote SQL injection attempts targeting the vulnerable ARPrice plugin.