CVE-2024-6205
Published: 19 July 2024
Summary
CVE-2024-6205 is a critical-severity SQL Injection (CWE-89) vulnerability in Payplus Payplus Payment Gateway. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The PayPlus Payment Gateway WordPress plugin before version 6.6.9 contains an SQL injection vulnerability (CWE-89) because it fails to properly sanitize and escape a parameter before incorporating it into a SQL statement. The flaw is exposed through a WooCommerce API route that does not require authentication, affecting any site using the vulnerable plugin version.
Unauthenticated remote attackers can supply crafted input via the exposed API endpoint to execute arbitrary SQL queries. Successful exploitation can result in full read, write, and delete access to the database, enabling complete compromise of the WordPress site given the CVSS 9.8 rating that reflects no required privileges or user interaction.
The referenced WPScan advisory recommends updating the PayPlus Payment Gateway plugin to version 6.6.9 or later to address the issue.
The associated EPSS score stands at 0.9016 with a recorded peak of 0.9037, reflecting sustained high exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47342
Vulnerability details
The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.