CVE-2024-49666

High

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0022 44.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in reputeinfosystems ARPrice arprice allows SQL Injection.This issue affects ARPrice: from n/a through <= 4.1.3.

Security Summary

CVE-2024-49666 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the ARPrice WordPress plugin developed by reputeinfosystems. The issue impacts all versions of ARPrice from n/a through 4.1.3 inclusive.

The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited remotely over the network with low complexity by low-privileged users without requiring user interaction. Successful exploitation enables high-impact confidentiality violations across scopes, such as extracting sensitive data from the database, alongside low availability impact.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-sql-injection-vulnerability?_s_id=cve, provide details on the vulnerability in the WordPress ARPrice plugin.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com