Cyber Resilience

CVE-2024-55988

Critical

Published: 16 December 2024

Published
16 December 2024
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.3246 97.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55988 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2024-55988 is a blind SQL injection flaw (CWE-89) in the Navayan CSV Export WordPress plugin, versions up to and including 1.0.9. It stems from improper neutralization of special elements in SQL commands within the affected component, allowing an attacker to manipulate database queries without authentication.

Unauthenticated remote attackers can exploit the issue over the network with low complexity and no user interaction required. Successful exploitation can yield high confidentiality impact through data exfiltration, limited availability effects, and a changed scope that affects components beyond the vulnerable plugin itself, as reflected in its CVSS 9.3 score.

The Patchstack advisory details the vulnerability in the WordPress plugin and recommends updating Navayan CSV Export beyond version 1.0.9 once a fixed release is available, along with standard WordPress plugin hardening practices such as restricting database user privileges. The EPSS score has reached 0.3246 without a documented low-to-high trajectory after disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Amol Nirmala Waman Navayan CSV Export navayan-csv-export allows Blind SQL Injection.This issue affects Navayan CSV Export: from n/a through <= 1.0.9.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References