CVE-2024-3265

2024-04-2522:15:09

WPScan

web.nvd.nist.gov

wordpress

advanced search

sql injection

multisite configuration

CVSS3

4.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

AI Score

9.6

Confidence

High

EPSS

Percentile

9.0%

JSON

The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations.

Affected configurations

Vulners

Node

advanced-woo-searchadvanced_woo_searchRange≤1.1.6wordpress

VendorProductVersionCPE
advanced-woo-searchadvanced_woo_search*cpe:2.3:a:advanced-woo-search:advanced_woo_search:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
advanced-woo-search	advanced_woo_search	*	cpe:2.3:a:advanced-woo-search:advanced_woo_search::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Advanced Search",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThanOrEqual": "1.1.6"
      }
    ],
    "defaultStatus": "affected"
  }
]