CVE-2024-12404
Published: 11 January 2025
Description
The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'post_title' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Security Summary
CVE-2024-12404 is a SQL injection vulnerability in the CF Internal Link Shortcode plugin for WordPress, affecting all versions up to and including 1.1.0. The issue stems from insufficient escaping of the user-supplied 'post_title' parameter combined with inadequate preparation of the existing SQL query, enabling attackers to append additional SQL queries to extract sensitive information from the database. It is classified under CWE-89 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By manipulating the 'post_title' parameter, they can inject SQL payloads into ongoing queries, potentially dumping sensitive database contents such as user credentials, post data, or other confidential information hosted by the WordPress site.
Advisories from sources like Wordfence provide threat intelligence on the vulnerability, while the WordPress plugin Trac repository exposes the root cause in the source code at internal-link-shortcode.php line 82. Practitioners should update to a patched version if available or disable the plugin, as no specific patch details are outlined in the CVE description.
Details
- CWE(s)