Cyber Resilience

CVE-2024-6205

CriticalPublic PoC

Published: 19 July 2024

Published
19 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9016 99.6th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6205 is a critical-severity SQL Injection (CWE-89) vulnerability in Payplus Payplus Payment Gateway. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The PayPlus Payment Gateway WordPress plugin before version 6.6.9 contains an SQL injection vulnerability (CWE-89) because it fails to properly sanitize and escape a parameter before incorporating it into a SQL statement. The flaw is exposed through a WooCommerce API route that does not require authentication, affecting any site using the vulnerable plugin version.

Unauthenticated remote attackers can supply crafted input via the exposed API endpoint to execute arbitrary SQL queries. Successful exploitation can result in full read, write, and delete access to the database, enabling complete compromise of the WordPress site given the CVSS 9.8 rating that reflects no required privileges or user interaction.

The referenced WPScan advisory recommends updating the PayPlus Payment Gateway plugin to version 6.6.9 or later to address the issue.

The associated EPSS score stands at 0.9016 with a recorded peak of 0.9037, reflecting sustained high exploitation probability.

EU & UK References

Vulnerability details

The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

payplus
payplus payment gateway
≤ 6.6.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References