CVE-2024-12773

HighPublic PoC

Published: 27 January 2025

Published

27 January 2025

Modified

07 May 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The Altra Side Menu WordPress plugin through 2.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Security Summary

CVE-2024-12773 is a SQL injection vulnerability (CWE-89) in the Altra Side Menu WordPress plugin through version 2.0. The flaw arises because the plugin does not sanitize and escape a parameter before incorporating it into a SQL statement, enabling unauthenticated SQL injection attacks when exploited by authorized users.

The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no user interaction required, but necessitates high privileges such as administrator access. An attacker with admin rights can inject malicious SQL payloads to achieve high-impact confidentiality, integrity, and availability compromises, potentially leading to full database compromise, data exfiltration, modification, or deletion.

For mitigation details, refer to the WPScan advisory at https://wpscan.com/vulnerability/fab64105-599f-49a4-b01d-c873ff34b590/.

Details

CWE(s): CWE-89

Affected Products

pulseextensions

altra side menu

≤ 2.0

References

https://wpscan.com/vulnerability/fab64105-599f-49a4-b01d-c873ff34b590/
Exploit, Third Party Advisory · contact@wpscan.com