CVE-2024-11939

High

Published: 08 January 2025

Published

08 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0081 74.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to blind time-based SQL Injection via the ‘data’ parameter in all versions up to, and including, 3.2.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Security Summary

CVE-2024-11939 is a blind time-based SQL injection vulnerability in the Cost Calculator Builder PRO plugin for WordPress, affecting all versions up to and including 3.2.15. The issue stems from insufficient escaping of the user-supplied 'data' parameter combined with a lack of sufficient preparation in the existing SQL query, allowing injection of additional SQL queries (CWE-89).

Unauthenticated attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, score 7.5). By appending malicious payloads via the 'data' parameter, they can extract sensitive information from the database through blind time-based techniques.

The plugin changelog for version 3.2.16 indicates a fix for this vulnerability. Wordfence has documented the issue in its threat intelligence, providing further details for remediation.

Details

CWE(s): CWE-89

References

https://docs.stylemixthemes.com/cost-calculator-builder/changelog-1/changelog-pro-version#id-3.2.16
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/96ad872f-9831-4113-99ae-322bcd2b6fbd?source=cve
security@wordfence.com